Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 20:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe
-
Size
208KB
-
MD5
53e48d35baa6602c78be92c1b6746f10
-
SHA1
5edfa4ea46bb0b1eca7203aaeea78d8bc224fd7a
-
SHA256
3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5
-
SHA512
ed941e573b7ce84811767ca69f670b10dfad26338885d581ce3e31de671d028bec10a3e3bfb2695e8ea9958b7eb32a58e1ebb64fab2d70f58bb75de6bbf8125b
-
SSDEEP
3072:P/gPWDqdQqW569iBKgccmSYqtpEG6w7o4NLthEjQT6c:36Qq469iYvc7YKuGEQEj+
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation QJVGE.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JZOFR.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RQLFL.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ZYCLKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation KXACWMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation EEX.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation XOR.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RXBFQFS.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation VSNTGGN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RFGU.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TFXKWY.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ZMVTV.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation MLL.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NRBMP.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WVKLZJF.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation UKPWOE.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation EYVYTE.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation YEPNZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation XQBNNOW.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation LPZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RSH.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TOR.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation GPJXUQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation PTAU.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation SLP.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation GCKHXUG.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation PBYI.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation LJAPN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation QSWHVA.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation FRK.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation MNKTF.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation KIY.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation CIKHZS.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ZCCURSN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation FXIQMG.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation GZOVQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation UKFAH.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation PGLDBP.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation GDX.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JMEI.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OWJGO.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ADT.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation KZI.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JAXQFX.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation BNMNUXI.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation TIZV.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NVHAA.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NCZTQN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ABDDQVP.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OOFOHMO.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation IOVH.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation BHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation DSPZIM.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NYNUC.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation BHTECI.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation NKYJZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ABJB.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation QIWRN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation KTRXBE.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RASSGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation EOSGRCT.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WFCOSO.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation XWNO.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation OJXX.exe -
Executes dropped EXE 64 IoCs
pid Process 3684 RASSGC.exe 1156 LJAPN.exe 4820 RJI.exe 2928 RXA.exe 748 UKFAH.exe 4768 SKNOQYC.exe 4272 MXSX.exe 1316 IIIWPIM.exe 3792 ODMP.exe 1192 HRTNAZR.exe 1756 PXXCKXM.exe 5016 BPNNCYU.exe 4708 UQCYLZC.exe 1928 ADT.exe 4416 PGLDBP.exe 2292 TOR.exe 4504 KZI.exe 2272 HPVSVI.exe 676 EUNH.exe 2376 KQNIPHK.exe 4048 VIUBHIA.exe 1980 HQBB.exe 988 JOOWAIX.exe 3384 YEPNZ.exe 764 EEX.exe 3560 QSWHVA.exe 3616 CIKHZS.exe 424 ULOKNIH.exe 1576 CQTRYGC.exe 1168 MOGDFPL.exe 4908 FRK.exe 4120 WRZE.exe 4428 RCHD.exe 248 DQGBQIH.exe 2696 GDX.exe 2976 YGBGP.exe 4588 XRMW.exe 264 BHTECI.exe 4708 SHVJ.exe 3640 NCZTQN.exe 740 JAXQFX.exe 4176 TIZV.exe 704 XOR.exe 1464 QJVGE.exe 4704 AHBA.exe 1064 CEOV.exe 2528 VSNTGGN.exe 4768 XQBNNOW.exe 3384 ALKPZAD.exe 336 IQXVJYZ.exe 1316 VWXHTK.exe 1156 LRO.exe 2316 RFGU.exe 1576 NKYJZ.exe 3052 TFXKWY.exe 3396 ZBJLKUZ.exe 1820 JZOFR.exe 4044 ZUY.exe 4608 RXBFQFS.exe 3172 ZCCURSN.exe 412 MNKTF.exe 1376 EVZQS.exe 1984 KIY.exe 1532 TWIR.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\FXIQMG.exe ZCFPYR.exe File opened for modification C:\windows\SysWOW64\BNMNUXI.exe NRBMP.exe File created C:\windows\SysWOW64\HRTNAZR.exe ODMP.exe File created C:\windows\SysWOW64\EUNH.exe HPVSVI.exe File created C:\windows\SysWOW64\JCYG.exe.bat QJIV.exe File created C:\windows\SysWOW64\RVZSGNO.exe GCKHXUG.exe File created C:\windows\SysWOW64\IPYRF.exe OWJGO.exe File created C:\windows\SysWOW64\PBYI.exe.bat QIWRN.exe File created C:\windows\SysWOW64\RXA.exe.bat RJI.exe File created C:\windows\SysWOW64\SKNOQYC.exe UKFAH.exe File opened for modification C:\windows\SysWOW64\IQXVJYZ.exe ALKPZAD.exe File created C:\windows\SysWOW64\MYNM.exe.bat XIMNVW.exe File created C:\windows\SysWOW64\RFGU.exe.bat LRO.exe File created C:\windows\SysWOW64\MXFRJAW.exe.bat IPYRF.exe File created C:\windows\SysWOW64\YCGW.exe ZMVTV.exe File opened for modification C:\windows\SysWOW64\HPVSVI.exe KZI.exe File created C:\windows\SysWOW64\HQBB.exe.bat VIUBHIA.exe File created C:\windows\SysWOW64\FDEH.exe LPZ.exe File created C:\windows\SysWOW64\RVZSGNO.exe.bat GCKHXUG.exe File opened for modification C:\windows\SysWOW64\VIUBHIA.exe KQNIPHK.exe File created C:\windows\SysWOW64\CEOV.exe.bat AHBA.exe File created C:\windows\SysWOW64\ANDNLP.exe PVWCTO.exe File opened for modification C:\windows\SysWOW64\RXA.exe RJI.exe File opened for modification C:\windows\SysWOW64\EYVYTE.exe RVZSGNO.exe File created C:\windows\SysWOW64\FXIQMG.exe.bat ZCFPYR.exe File created C:\windows\SysWOW64\MJHABJ.exe SQZPSJ.exe File created C:\windows\SysWOW64\BNMNUXI.exe.bat NRBMP.exe File opened for modification C:\windows\SysWOW64\OWJGO.exe UBE.exe File created C:\windows\SysWOW64\JCYG.exe QJIV.exe File opened for modification C:\windows\SysWOW64\IOVH.exe ABJB.exe File opened for modification C:\windows\SysWOW64\EUNH.exe HPVSVI.exe File opened for modification C:\windows\SysWOW64\XQBNNOW.exe VSNTGGN.exe File created C:\windows\SysWOW64\LRO.exe VWXHTK.exe File created C:\windows\SysWOW64\GPJXUQJ.exe IACUIXB.exe File created C:\windows\SysWOW64\QVXX.exe.bat DSPZIM.exe File created C:\windows\SysWOW64\RXA.exe RJI.exe File created C:\windows\SysWOW64\MOGDFPL.exe CQTRYGC.exe File created C:\windows\SysWOW64\GPJXUQJ.exe.bat IACUIXB.exe File created C:\windows\SysWOW64\FDEH.exe.bat LPZ.exe File created C:\windows\SysWOW64\WFCOSO.exe DCYSF.exe File created C:\windows\SysWOW64\YEPNZ.exe.bat JOOWAIX.exe File created C:\windows\SysWOW64\MOGDFPL.exe.bat CQTRYGC.exe File opened for modification C:\windows\SysWOW64\RXBFQFS.exe ZUY.exe File created C:\windows\SysWOW64\RUSST.exe.bat EOSGRCT.exe File created C:\windows\SysWOW64\OJXX.exe KTRXBE.exe File created C:\windows\SysWOW64\SKNOQYC.exe.bat UKFAH.exe File created C:\windows\SysWOW64\HQBB.exe VIUBHIA.exe File opened for modification C:\windows\SysWOW64\QJVGE.exe XOR.exe File created C:\windows\SysWOW64\RXBFQFS.exe ZUY.exe File opened for modification C:\windows\SysWOW64\WFCOSO.exe DCYSF.exe File created C:\windows\SysWOW64\ANDNLP.exe.bat PVWCTO.exe File created C:\windows\SysWOW64\BNMNUXI.exe NRBMP.exe File created C:\windows\SysWOW64\HRTNAZR.exe.bat ODMP.exe File created C:\windows\SysWOW64\PXXCKXM.exe.bat HRTNAZR.exe File created C:\windows\SysWOW64\VIUBHIA.exe KQNIPHK.exe File created C:\windows\SysWOW64\MXFRJAW.exe IPYRF.exe File opened for modification C:\windows\SysWOW64\RFGU.exe LRO.exe File created C:\windows\SysWOW64\XIMNVW.exe.bat GPJXUQJ.exe File created C:\windows\SysWOW64\OWJGO.exe UBE.exe File created C:\windows\SysWOW64\FXIQMG.exe ZCFPYR.exe File created C:\windows\SysWOW64\UKFAH.exe RXA.exe File opened for modification C:\windows\SysWOW64\YEPNZ.exe JOOWAIX.exe File created C:\windows\SysWOW64\RCHD.exe.bat WRZE.exe File opened for modification C:\windows\SysWOW64\DQGBQIH.exe RCHD.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\HXMYUN.exe ZRHRJPE.exe File created C:\windows\EOSGRCT.exe PTAU.exe File opened for modification C:\windows\MWCHEG.exe IOVH.exe File opened for modification C:\windows\system\ODMP.exe IIIWPIM.exe File created C:\windows\BPNNCYU.exe.bat PXXCKXM.exe File created C:\windows\ADT.exe UQCYLZC.exe File opened for modification C:\windows\system\QSWHVA.exe EEX.exe File created C:\windows\system\NCZTQN.exe SHVJ.exe File created C:\windows\system\NRBMP.exe.bat QZRKDE.exe File created C:\windows\system\KLNJHKF.exe KXACWMJ.exe File opened for modification C:\windows\system\JZOFR.exe ZBJLKUZ.exe File created C:\windows\KIY.exe.bat EVZQS.exe File created C:\windows\PIYICTZ.exe.bat FKSOUKQ.exe File opened for modification C:\windows\RASSGC.exe 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe File created C:\windows\RASSGC.exe.bat 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe File created C:\windows\LJAPN.exe.bat RASSGC.exe File opened for modification C:\windows\system\VSNTGGN.exe CEOV.exe File opened for modification C:\windows\VWXHTK.exe IQXVJYZ.exe File opened for modification C:\windows\PTAU.exe NVHAA.exe File created C:\windows\system\UJFLWR.exe OJXX.exe File created C:\windows\BPNNCYU.exe PXXCKXM.exe File created C:\windows\system\AHBA.exe QJVGE.exe File created C:\windows\NKYJZ.exe.bat RFGU.exe File created C:\windows\system\NYNUC.exe.bat RSH.exe File created C:\windows\system\RWWK.exe.bat GEB.exe File created C:\windows\RASSGC.exe 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe File created C:\windows\system\OOFOHMO.exe VLB.exe File opened for modification C:\windows\system\OOFOHMO.exe VLB.exe File opened for modification C:\windows\system\UKPWOE.exe MWCHEG.exe File created C:\windows\system\QIWRN.exe BNMNUXI.exe File created C:\windows\XRMW.exe.bat YGBGP.exe File opened for modification C:\windows\system\FPRKN.exe EMO.exe File opened for modification C:\windows\system\JAXQFX.exe NCZTQN.exe File opened for modification C:\windows\KIY.exe EVZQS.exe File opened for modification C:\windows\system\LPZ.exe FPRKN.exe File opened for modification C:\windows\system\DCYSF.exe RUSST.exe File created C:\windows\HCQSLA.exe.bat SLP.exe File opened for modification C:\windows\AZUIH.exe JZGKCMG.exe File opened for modification C:\windows\system\KXACWMJ.exe AZUIH.exe File opened for modification C:\windows\ADT.exe UQCYLZC.exe File created C:\windows\QJIV.exe RZGFZ.exe File opened for modification C:\windows\PIYICTZ.exe FKSOUKQ.exe File created C:\windows\MLL.exe EYZ.exe File created C:\windows\system\QZRKDE.exe XWNO.exe File created C:\windows\JOOWAIX.exe HQBB.exe File created C:\windows\ULOKNIH.exe CIKHZS.exe File created C:\windows\system\GZOVQ.exe NWK.exe File created C:\windows\KTRXBE.exe RQN.exe File created C:\windows\system\UJFLWR.exe.bat OJXX.exe File created C:\windows\system\GCKHXUG.exe UKPWOE.exe File created C:\windows\system\GZOVQ.exe.bat NWK.exe File opened for modification C:\windows\MBT.exe RQLFL.exe File created C:\windows\system\BHZ.exe MBT.exe File created C:\windows\VLB.exe CST.exe File created C:\windows\WVKLZJF.exe.bat MXFRJAW.exe File opened for modification C:\windows\EOSGRCT.exe PTAU.exe File opened for modification C:\windows\NVHAA.exe QVXX.exe File created C:\windows\YGBGP.exe GDX.exe File created C:\windows\system\LPZ.exe FPRKN.exe File created C:\windows\system\DZJRBP.exe JMEI.exe File created C:\windows\UBE.exe OOFOHMO.exe File opened for modification C:\windows\MLL.exe EYZ.exe File opened for modification C:\windows\system\DSPZIM.exe JZZOQL.exe File created C:\windows\SLP.exe.bat FBZUZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 468 3020 WerFault.exe 84 1760 3684 WerFault.exe 90 828 1156 WerFault.exe 96 4972 4820 WerFault.exe 101 2364 2928 WerFault.exe 106 4728 748 WerFault.exe 111 5048 4768 WerFault.exe 116 2408 4272 WerFault.exe 121 4536 1316 WerFault.exe 126 4032 3792 WerFault.exe 131 1668 1192 WerFault.exe 136 3024 1756 WerFault.exe 141 2300 5016 WerFault.exe 146 2732 4708 WerFault.exe 151 2680 1928 WerFault.exe 156 1308 4416 WerFault.exe 161 1852 2292 WerFault.exe 166 5076 4504 WerFault.exe 171 3060 2272 WerFault.exe 176 1124 676 WerFault.exe 181 3644 2376 WerFault.exe 186 1516 4048 WerFault.exe 191 2024 1980 WerFault.exe 196 3272 988 WerFault.exe 201 2212 3384 WerFault.exe 206 3684 764 WerFault.exe 211 3508 3560 WerFault.exe 216 4820 3616 WerFault.exe 221 552 424 WerFault.exe 226 1940 1576 WerFault.exe 231 4864 1168 WerFault.exe 236 3800 4908 WerFault.exe 241 988 4120 WerFault.exe 246 3384 4428 WerFault.exe 251 4632 248 WerFault.exe 256 4132 2696 WerFault.exe 261 4532 2976 WerFault.exe 267 1400 4588 WerFault.exe 274 4304 264 WerFault.exe 279 1460 4708 WerFault.exe 284 2212 3640 WerFault.exe 290 472 740 WerFault.exe 295 4392 4176 WerFault.exe 300 3020 704 WerFault.exe 305 808 1464 WerFault.exe 310 1812 4704 WerFault.exe 315 1532 1064 WerFault.exe 320 224 2528 WerFault.exe 325 4324 4768 WerFault.exe 330 4032 3384 WerFault.exe 335 4004 336 WerFault.exe 340 924 1316 WerFault.exe 345 3432 1156 WerFault.exe 350 4600 2316 WerFault.exe 355 1688 1576 WerFault.exe 360 3576 3052 WerFault.exe 365 2840 3396 WerFault.exe 370 860 1820 WerFault.exe 375 4992 4044 WerFault.exe 380 5092 4608 WerFault.exe 385 1316 3172 WerFault.exe 389 5004 412 WerFault.exe 395 4800 1376 WerFault.exe 400 4644 1984 WerFault.exe 405 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HPVSVI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NKYJZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EOSGRCT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KLNJHKF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MXSX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCYSF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RJI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WVKLZJF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FXIQMG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GEB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UJFLWR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZBJLKUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDEH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JZZOQL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PVWCTO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VWXHTK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PXXCKXM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IQXVJYZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OJXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RQLFL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MBT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZUY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IOVH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IIIWPIM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XQBNNOW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JZGKCMG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YCGW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ABDDQVP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NCZTQN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NVHAA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YEPNZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RCHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PBYI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZRHRJPE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 3684 RASSGC.exe 3684 RASSGC.exe 1156 LJAPN.exe 1156 LJAPN.exe 4820 RJI.exe 4820 RJI.exe 2928 RXA.exe 2928 RXA.exe 748 UKFAH.exe 748 UKFAH.exe 4768 SKNOQYC.exe 4768 SKNOQYC.exe 4272 MXSX.exe 4272 MXSX.exe 1316 IIIWPIM.exe 1316 IIIWPIM.exe 3792 ODMP.exe 3792 ODMP.exe 1192 HRTNAZR.exe 1192 HRTNAZR.exe 1756 PXXCKXM.exe 1756 PXXCKXM.exe 5016 BPNNCYU.exe 5016 BPNNCYU.exe 4708 UQCYLZC.exe 4708 UQCYLZC.exe 1928 ADT.exe 1928 ADT.exe 4416 PGLDBP.exe 4416 PGLDBP.exe 2292 TOR.exe 2292 TOR.exe 4504 KZI.exe 4504 KZI.exe 2272 HPVSVI.exe 2272 HPVSVI.exe 676 EUNH.exe 676 EUNH.exe 2376 KQNIPHK.exe 2376 KQNIPHK.exe 4048 VIUBHIA.exe 4048 VIUBHIA.exe 1980 HQBB.exe 1980 HQBB.exe 988 JOOWAIX.exe 988 JOOWAIX.exe 3384 YEPNZ.exe 3384 YEPNZ.exe 764 EEX.exe 764 EEX.exe 3560 QSWHVA.exe 3560 QSWHVA.exe 3616 CIKHZS.exe 3616 CIKHZS.exe 424 ULOKNIH.exe 424 ULOKNIH.exe 1576 CQTRYGC.exe 1576 CQTRYGC.exe 1168 MOGDFPL.exe 1168 MOGDFPL.exe 4908 FRK.exe 4908 FRK.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 3684 RASSGC.exe 3684 RASSGC.exe 1156 LJAPN.exe 1156 LJAPN.exe 4820 RJI.exe 4820 RJI.exe 2928 RXA.exe 2928 RXA.exe 748 UKFAH.exe 748 UKFAH.exe 4768 SKNOQYC.exe 4768 SKNOQYC.exe 4272 MXSX.exe 4272 MXSX.exe 1316 IIIWPIM.exe 1316 IIIWPIM.exe 3792 ODMP.exe 3792 ODMP.exe 1192 HRTNAZR.exe 1192 HRTNAZR.exe 1756 PXXCKXM.exe 1756 PXXCKXM.exe 5016 BPNNCYU.exe 5016 BPNNCYU.exe 4708 UQCYLZC.exe 4708 UQCYLZC.exe 1928 ADT.exe 1928 ADT.exe 4416 PGLDBP.exe 4416 PGLDBP.exe 2292 TOR.exe 2292 TOR.exe 4504 KZI.exe 4504 KZI.exe 2272 HPVSVI.exe 2272 HPVSVI.exe 676 EUNH.exe 676 EUNH.exe 2376 KQNIPHK.exe 2376 KQNIPHK.exe 4048 VIUBHIA.exe 4048 VIUBHIA.exe 1980 HQBB.exe 1980 HQBB.exe 988 JOOWAIX.exe 988 JOOWAIX.exe 3384 YEPNZ.exe 3384 YEPNZ.exe 764 EEX.exe 764 EEX.exe 3560 QSWHVA.exe 3560 QSWHVA.exe 3616 CIKHZS.exe 3616 CIKHZS.exe 424 ULOKNIH.exe 424 ULOKNIH.exe 1576 CQTRYGC.exe 1576 CQTRYGC.exe 1168 MOGDFPL.exe 1168 MOGDFPL.exe 4908 FRK.exe 4908 FRK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3896 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 86 PID 3020 wrote to memory of 3896 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 86 PID 3020 wrote to memory of 3896 3020 3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe 86 PID 3896 wrote to memory of 3684 3896 cmd.exe 90 PID 3896 wrote to memory of 3684 3896 cmd.exe 90 PID 3896 wrote to memory of 3684 3896 cmd.exe 90 PID 3684 wrote to memory of 956 3684 RASSGC.exe 92 PID 3684 wrote to memory of 956 3684 RASSGC.exe 92 PID 3684 wrote to memory of 956 3684 RASSGC.exe 92 PID 956 wrote to memory of 1156 956 cmd.exe 96 PID 956 wrote to memory of 1156 956 cmd.exe 96 PID 956 wrote to memory of 1156 956 cmd.exe 96 PID 1156 wrote to memory of 2136 1156 LJAPN.exe 97 PID 1156 wrote to memory of 2136 1156 LJAPN.exe 97 PID 1156 wrote to memory of 2136 1156 LJAPN.exe 97 PID 2136 wrote to memory of 4820 2136 cmd.exe 101 PID 2136 wrote to memory of 4820 2136 cmd.exe 101 PID 2136 wrote to memory of 4820 2136 cmd.exe 101 PID 4820 wrote to memory of 3996 4820 RJI.exe 102 PID 4820 wrote to memory of 3996 4820 RJI.exe 102 PID 4820 wrote to memory of 3996 4820 RJI.exe 102 PID 3996 wrote to memory of 2928 3996 cmd.exe 106 PID 3996 wrote to memory of 2928 3996 cmd.exe 106 PID 3996 wrote to memory of 2928 3996 cmd.exe 106 PID 2928 wrote to memory of 2752 2928 RXA.exe 107 PID 2928 wrote to memory of 2752 2928 RXA.exe 107 PID 2928 wrote to memory of 2752 2928 RXA.exe 107 PID 2752 wrote to memory of 748 2752 cmd.exe 111 PID 2752 wrote to memory of 748 2752 cmd.exe 111 PID 2752 wrote to memory of 748 2752 cmd.exe 111 PID 748 wrote to memory of 1584 748 UKFAH.exe 112 PID 748 wrote to memory of 1584 748 UKFAH.exe 112 PID 748 wrote to memory of 1584 748 UKFAH.exe 112 PID 1584 wrote to memory of 4768 1584 cmd.exe 116 PID 1584 wrote to memory of 4768 1584 cmd.exe 116 PID 1584 wrote to memory of 4768 1584 cmd.exe 116 PID 4768 wrote to memory of 2680 4768 SKNOQYC.exe 117 PID 4768 wrote to memory of 2680 4768 SKNOQYC.exe 117 PID 4768 wrote to memory of 2680 4768 SKNOQYC.exe 117 PID 2680 wrote to memory of 4272 2680 cmd.exe 121 PID 2680 wrote to memory of 4272 2680 cmd.exe 121 PID 2680 wrote to memory of 4272 2680 cmd.exe 121 PID 4272 wrote to memory of 2196 4272 MXSX.exe 122 PID 4272 wrote to memory of 2196 4272 MXSX.exe 122 PID 4272 wrote to memory of 2196 4272 MXSX.exe 122 PID 2196 wrote to memory of 1316 2196 cmd.exe 126 PID 2196 wrote to memory of 1316 2196 cmd.exe 126 PID 2196 wrote to memory of 1316 2196 cmd.exe 126 PID 1316 wrote to memory of 4324 1316 IIIWPIM.exe 127 PID 1316 wrote to memory of 4324 1316 IIIWPIM.exe 127 PID 1316 wrote to memory of 4324 1316 IIIWPIM.exe 127 PID 4324 wrote to memory of 3792 4324 cmd.exe 131 PID 4324 wrote to memory of 3792 4324 cmd.exe 131 PID 4324 wrote to memory of 3792 4324 cmd.exe 131 PID 3792 wrote to memory of 4632 3792 ODMP.exe 132 PID 3792 wrote to memory of 4632 3792 ODMP.exe 132 PID 3792 wrote to memory of 4632 3792 ODMP.exe 132 PID 4632 wrote to memory of 1192 4632 cmd.exe 136 PID 4632 wrote to memory of 1192 4632 cmd.exe 136 PID 4632 wrote to memory of 1192 4632 cmd.exe 136 PID 1192 wrote to memory of 3032 1192 HRTNAZR.exe 137 PID 1192 wrote to memory of 3032 1192 HRTNAZR.exe 137 PID 1192 wrote to memory of 3032 1192 HRTNAZR.exe 137 PID 3032 wrote to memory of 1756 3032 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe"C:\Users\Admin\AppData\Local\Temp\3bbf6d76dd7f4108792d68d177b8cb6d2237af4a5adb1e442f1a9bd1ee2749c5N.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RASSGC.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\windows\RASSGC.exeC:\windows\RASSGC.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LJAPN.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\windows\LJAPN.exeC:\windows\LJAPN.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RJI.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\windows\RJI.exeC:\windows\RJI.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RXA.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\windows\SysWOW64\RXA.exeC:\windows\system32\RXA.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNOQYC.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\windows\SysWOW64\SKNOQYC.exeC:\windows\system32\SKNOQYC.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MXSX.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\windows\MXSX.exeC:\windows\MXSX.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IIIWPIM.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\windows\system\IIIWPIM.exeC:\windows\system\IIIWPIM.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ODMP.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\windows\system\ODMP.exeC:\windows\system\ODMP.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRTNAZR.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\windows\SysWOW64\HRTNAZR.exeC:\windows\system32\HRTNAZR.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXCKXM.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\windows\SysWOW64\PXXCKXM.exeC:\windows\system32\PXXCKXM.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BPNNCYU.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\windows\BPNNCYU.exeC:\windows\BPNNCYU.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UQCYLZC.exe.bat" "26⤵PID:3212
-
C:\windows\system\UQCYLZC.exeC:\windows\system\UQCYLZC.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ADT.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\windows\ADT.exeC:\windows\ADT.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PGLDBP.exe.bat" "30⤵PID:2288
-
C:\windows\system\PGLDBP.exeC:\windows\system\PGLDBP.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TOR.exe.bat" "32⤵PID:4496
-
C:\windows\system\TOR.exeC:\windows\system\TOR.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KZI.exe.bat" "34⤵PID:1144
-
C:\windows\system\KZI.exeC:\windows\system\KZI.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HPVSVI.exe.bat" "36⤵PID:2276
-
C:\windows\SysWOW64\HPVSVI.exeC:\windows\system32\HPVSVI.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUNH.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\windows\SysWOW64\EUNH.exeC:\windows\system32\EUNH.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KQNIPHK.exe.bat" "40⤵PID:2168
-
C:\windows\KQNIPHK.exeC:\windows\KQNIPHK.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VIUBHIA.exe.bat" "42⤵PID:4460
-
C:\windows\SysWOW64\VIUBHIA.exeC:\windows\system32\VIUBHIA.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQBB.exe.bat" "44⤵PID:2284
-
C:\windows\SysWOW64\HQBB.exeC:\windows\system32\HQBB.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JOOWAIX.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\windows\JOOWAIX.exeC:\windows\JOOWAIX.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEPNZ.exe.bat" "48⤵PID:3604
-
C:\windows\SysWOW64\YEPNZ.exeC:\windows\system32\YEPNZ.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EEX.exe.bat" "50⤵PID:4608
-
C:\windows\SysWOW64\EEX.exeC:\windows\system32\EEX.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QSWHVA.exe.bat" "52⤵PID:3832
-
C:\windows\system\QSWHVA.exeC:\windows\system\QSWHVA.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CIKHZS.exe.bat" "54⤵PID:3844
-
C:\windows\CIKHZS.exeC:\windows\CIKHZS.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ULOKNIH.exe.bat" "56⤵PID:1484
-
C:\windows\ULOKNIH.exeC:\windows\ULOKNIH.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "58⤵PID:2172
-
C:\windows\system\CQTRYGC.exeC:\windows\system\CQTRYGC.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MOGDFPL.exe.bat" "60⤵PID:2180
-
C:\windows\SysWOW64\MOGDFPL.exeC:\windows\system32\MOGDFPL.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRK.exe.bat" "62⤵PID:1164
-
C:\windows\SysWOW64\FRK.exeC:\windows\system32\FRK.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WRZE.exe.bat" "64⤵PID:760
-
C:\windows\WRZE.exeC:\windows\WRZE.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCHD.exe.bat" "66⤵PID:4792
-
C:\windows\SysWOW64\RCHD.exeC:\windows\system32\RCHD.exe67⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DQGBQIH.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:4268 -
C:\windows\SysWOW64\DQGBQIH.exeC:\windows\system32\DQGBQIH.exe69⤵
- Executes dropped EXE
PID:248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDX.exe.bat" "70⤵PID:532
-
C:\windows\SysWOW64\GDX.exeC:\windows\system32\GDX.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YGBGP.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\windows\YGBGP.exeC:\windows\YGBGP.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRMW.exe.bat" "74⤵PID:4460
-
C:\windows\XRMW.exeC:\windows\XRMW.exe75⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BHTECI.exe.bat" "76⤵PID:4040
-
C:\windows\BHTECI.exeC:\windows\BHTECI.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHVJ.exe.bat" "78⤵PID:3924
-
C:\windows\SysWOW64\SHVJ.exeC:\windows\system32\SHVJ.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NCZTQN.exe.bat" "80⤵PID:4404
-
C:\windows\system\NCZTQN.exeC:\windows\system\NCZTQN.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JAXQFX.exe.bat" "82⤵PID:3144
-
C:\windows\system\JAXQFX.exeC:\windows\system\JAXQFX.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TIZV.exe.bat" "84⤵PID:1848
-
C:\windows\system\TIZV.exeC:\windows\system\TIZV.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XOR.exe.bat" "86⤵PID:2308
-
C:\windows\XOR.exeC:\windows\XOR.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJVGE.exe.bat" "88⤵PID:2696
-
C:\windows\SysWOW64\QJVGE.exeC:\windows\system32\QJVGE.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AHBA.exe.bat" "90⤵PID:1152
-
C:\windows\system\AHBA.exeC:\windows\system\AHBA.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CEOV.exe.bat" "92⤵PID:2748
-
C:\windows\SysWOW64\CEOV.exeC:\windows\system32\CEOV.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VSNTGGN.exe.bat" "94⤵PID:4840
-
C:\windows\system\VSNTGGN.exeC:\windows\system\VSNTGGN.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XQBNNOW.exe.bat" "96⤵PID:4412
-
C:\windows\SysWOW64\XQBNNOW.exeC:\windows\system32\XQBNNOW.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ALKPZAD.exe.bat" "98⤵
- System Location Discovery: System Language Discovery
PID:4748 -
C:\windows\ALKPZAD.exeC:\windows\ALKPZAD.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQXVJYZ.exe.bat" "100⤵PID:3872
-
C:\windows\SysWOW64\IQXVJYZ.exeC:\windows\system32\IQXVJYZ.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VWXHTK.exe.bat" "102⤵PID:3832
-
C:\windows\VWXHTK.exeC:\windows\VWXHTK.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRO.exe.bat" "104⤵PID:2220
-
C:\windows\SysWOW64\LRO.exeC:\windows\system32\LRO.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RFGU.exe.bat" "106⤵PID:2356
-
C:\windows\SysWOW64\RFGU.exeC:\windows\system32\RFGU.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NKYJZ.exe.bat" "108⤵PID:3024
-
C:\windows\NKYJZ.exeC:\windows\NKYJZ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TFXKWY.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\windows\system\TFXKWY.exeC:\windows\system\TFXKWY.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZBJLKUZ.exe.bat" "112⤵PID:2024
-
C:\windows\system\ZBJLKUZ.exeC:\windows\system\ZBJLKUZ.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JZOFR.exe.bat" "114⤵PID:2796
-
C:\windows\system\JZOFR.exeC:\windows\system\JZOFR.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZUY.exe.bat" "116⤵PID:1460
-
C:\windows\ZUY.exeC:\windows\ZUY.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RXBFQFS.exe.bat" "118⤵PID:3048
-
C:\windows\SysWOW64\RXBFQFS.exeC:\windows\system32\RXBFQFS.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZCCURSN.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\windows\ZCCURSN.exeC:\windows\ZCCURSN.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:3172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-