Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 00:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe
-
Size
208KB
-
MD5
3a0a6465ba076a8fe7b9c490ad68d4b0
-
SHA1
7dcb1c7634a0bf47bdfbe5d40a291a704cdafe45
-
SHA256
dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808cea
-
SHA512
31f7477e2d1d94ee36d4d65d7f1079f6ec4effe7cdaabe71bba7db132cdc4b681d210577535081dd5912ffc5a524389c7c264989dff979fff3b9d4460dff7d21
-
SSDEEP
6144:M2okEE6seNrgUgOch5CyOiAR/oiED6D+950HZIQEjE:BokEEleP1umNoiEG+aZIQn
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation FHP.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation NWT.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JGTRQ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ECGCM.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RVUKPE.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation KVDCVUL.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation FDTN.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation NEGFH.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation CZDGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WNZQBCP.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation XKA.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation SWZEK.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation AGAXPHS.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation VYU.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation MJCCUX.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation XBFVCFN.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation DBNJ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation FLACQ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WUGNRE.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RIGORN.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation URBRU.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation UWPK.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation NPA.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation SODA.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation OLJPSE.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation QJBOY.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ZQYXRP.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation NBLVNKY.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BGV.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation MZX.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WWXX.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ZPPV.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation LMHQZXF.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation PCBWTC.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation XJCM.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation GFF.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation MMTOG.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation HON.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WME.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ARJEL.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BFI.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation IWIEF.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WVDSCGC.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ERFDD.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation KMFB.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JHMAY.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation AFB.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation EXS.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation TTDOMPM.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BDB.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation OAJLHP.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation KPZIZA.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation EIQVX.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BAOLDC.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation BYTNCYN.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation RUBRYTF.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation CWFLDSZ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation QEHTGPE.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JVY.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation GDJJJ.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation OKIHPG.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation FCBIDGY.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation NJSAJL.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WRDJV.exe -
Executes dropped EXE 64 IoCs
pid Process 3064 WSXYATV.exe 1492 NBLVNKY.exe 1340 RJNDQQ.exe 5100 IWQ.exe 976 TOTOG.exe 4552 NMU.exe 4208 XKA.exe 3564 WVDSCGC.exe 3448 JGTRQ.exe 4592 BGV.exe 1012 KTFO.exe 4820 OWEJKEX.exe 4352 JHMAY.exe 1268 NPTIKZH.exe 4932 TKSIP.exe 1428 AFB.exe 1412 SODA.exe 740 OLJPSE.exe 448 HON.exe 2484 RMSNFCT.exe 4668 AUU.exe 1340 KSI.exe 4860 FGFWI.exe 2340 LGNKR.exe 1856 FTRTCKJ.exe 3088 JBGTGC.exe 3004 UUBMO.exe 1416 ESPGD.exe 1852 OAJLHP.exe 4508 ZSMEHXF.exe 4848 DASET.exe 1780 QLWKZG.exe 3980 WME.exe 2596 AUKYC.exe 840 NEGFH.exe 4548 VUH.exe 2736 KPZIZA.exe 2744 BYTNCYN.exe 448 OBJMQ.exe 1556 FLACQ.exe 4256 LMHQZXF.exe 2588 MPLT.exe 4724 ESP.exe 2276 KSXDBF.exe 2496 AIDON.exe 3400 TDV.exe 3052 QJBOY.exe 2252 FEK.exe 884 YHOWO.exe 836 JXUWBAP.exe 2080 CSYSOY.exe 1412 XND.exe 1216 HDRWGGO.exe 2888 ZGVA.exe 2024 ROXFP.exe 3468 ERFDD.exe 4132 DKITMKJ.exe 2352 ZHOI.exe 3584 SKRMYK.exe 804 WAYMK.exe 1460 LQHMRYY.exe 4944 URBRU.exe 2496 ARJEL.exe 3428 MZX.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\FEK.exe QJBOY.exe File opened for modification C:\windows\SysWOW64\DKITMKJ.exe ERFDD.exe File created C:\windows\SysWOW64\WRDJV.exe GBCKPBA.exe File created C:\windows\SysWOW64\CWFLDSZ.exe.bat WWXX.exe File created C:\windows\SysWOW64\DBNJ.exe.bat XBFVCFN.exe File created C:\windows\SysWOW64\OUICT.exe.bat DBNJ.exe File created C:\windows\SysWOW64\UAP.exe LANZA.exe File opened for modification C:\windows\SysWOW64\YHOWO.exe FEK.exe File created C:\windows\SysWOW64\ERFDD.exe.bat ROXFP.exe File created C:\windows\SysWOW64\LQHMRYY.exe.bat WAYMK.exe File opened for modification C:\windows\SysWOW64\ZLTLRC.exe SDS.exe File created C:\windows\SysWOW64\DQHYBK.exe KVDCVUL.exe File created C:\windows\SysWOW64\FQB.exe MNXRNH.exe File created C:\windows\SysWOW64\ZIXO.exe ZPPV.exe File created C:\windows\SysWOW64\YHOWO.exe FEK.exe File created C:\windows\SysWOW64\XJCM.exe DNXDPLF.exe File opened for modification C:\windows\SysWOW64\RYJ.exe FQUTPU.exe File created C:\windows\SysWOW64\FGFWI.exe KSI.exe File created C:\windows\SysWOW64\FTRTCKJ.exe.bat LGNKR.exe File created C:\windows\SysWOW64\WRDJV.exe.bat GBCKPBA.exe File opened for modification C:\windows\SysWOW64\DBNJ.exe XBFVCFN.exe File created C:\windows\SysWOW64\WVDSCGC.exe XKA.exe File created C:\windows\SysWOW64\BGV.exe.bat JGTRQ.exe File created C:\windows\SysWOW64\IWX.exe NJSAJL.exe File created C:\windows\SysWOW64\CQEM.exe RYJ.exe File created C:\windows\SysWOW64\LANZA.exe.bat OUICT.exe File opened for modification C:\windows\SysWOW64\UUBMO.exe JBGTGC.exe File created C:\windows\SysWOW64\QLWKZG.exe.bat DASET.exe File created C:\windows\SysWOW64\YHOWO.exe.bat FEK.exe File opened for modification C:\windows\SysWOW64\XND.exe CSYSOY.exe File opened for modification C:\windows\SysWOW64\UWPK.exe TTDOMPM.exe File opened for modification C:\windows\SysWOW64\CQEM.exe RYJ.exe File created C:\windows\SysWOW64\QLWKZG.exe DASET.exe File created C:\windows\SysWOW64\PCBWTC.exe.bat QEHTGPE.exe File opened for modification C:\windows\SysWOW64\LZCQ.exe TTS.exe File created C:\windows\SysWOW64\DNXDPLF.exe RVUKPE.exe File opened for modification C:\windows\SysWOW64\LUOVVZ.exe FHP.exe File created C:\windows\SysWOW64\EXS.exe LUOVVZ.exe File opened for modification C:\windows\SysWOW64\KMFB.exe NPA.exe File created C:\windows\SysWOW64\FGFWI.exe.bat KSI.exe File created C:\windows\SysWOW64\LQHMRYY.exe WAYMK.exe File created C:\windows\SysWOW64\FLBY.exe.bat ZLTLRC.exe File opened for modification C:\windows\SysWOW64\BAOLDC.exe RZMGZ.exe File created C:\windows\SysWOW64\XEJVMU.exe CQEM.exe File opened for modification C:\windows\SysWOW64\KSI.exe AUU.exe File created C:\windows\SysWOW64\KSXDBF.exe ESP.exe File created C:\windows\SysWOW64\JVY.exe.bat ESCN.exe File opened for modification C:\windows\SysWOW64\FLBY.exe ZLTLRC.exe File opened for modification C:\windows\SysWOW64\WWXX.exe JLGYFN.exe File opened for modification C:\windows\SysWOW64\FQB.exe MNXRNH.exe File created C:\windows\SysWOW64\UAP.exe.bat LANZA.exe File created C:\windows\SysWOW64\UUBMO.exe.bat JBGTGC.exe File created C:\windows\SysWOW64\FLACQ.exe OBJMQ.exe File created C:\windows\SysWOW64\KSXDBF.exe.bat ESP.exe File created C:\windows\SysWOW64\XND.exe.bat CSYSOY.exe File created C:\windows\SysWOW64\XJCM.exe.bat DNXDPLF.exe File opened for modification C:\windows\SysWOW64\ZPPV.exe MMTOG.exe File created C:\windows\SysWOW64\DBNJ.exe XBFVCFN.exe File opened for modification C:\windows\SysWOW64\WVDSCGC.exe XKA.exe File opened for modification C:\windows\SysWOW64\BGV.exe JGTRQ.exe File opened for modification C:\windows\SysWOW64\DASET.exe ZSMEHXF.exe File created C:\windows\SysWOW64\QJBOY.exe TDV.exe File created C:\windows\SysWOW64\FEK.exe QJBOY.exe File opened for modification C:\windows\SysWOW64\FAZ.exe RUBRYTF.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\MZE.exe IJYSE.exe File created C:\windows\HON.exe OLJPSE.exe File created C:\windows\system\ZHOI.exe.bat DKITMKJ.exe File opened for modification C:\windows\system\RUBRYTF.exe LZCQ.exe File opened for modification C:\windows\system\NWT.exe FQB.exe File created C:\windows\AUU.exe RMSNFCT.exe File opened for modification C:\windows\system\GBCKPBA.exe IQZ.exe File opened for modification C:\windows\system\IWIEF.exe UTEG.exe File opened for modification C:\windows\NPTIKZH.exe JHMAY.exe File created C:\windows\ESPGD.exe.bat UUBMO.exe File created C:\windows\EIQVX.exe YIJHOMJ.exe File created C:\windows\RZMGZ.exe MZE.exe File opened for modification C:\windows\HON.exe OLJPSE.exe File created C:\windows\system\JBGTGC.exe FTRTCKJ.exe File created C:\windows\EIQVX.exe.bat YIJHOMJ.exe File opened for modification C:\windows\RMSNFCT.exe HON.exe File created C:\windows\XBFVCFN.exe MJCCUX.exe File created C:\windows\system\WSKQ.exe.bat BEOHVVE.exe File opened for modification C:\windows\LPM.exe WUDEM.exe File created C:\windows\system\GDJJJ.exe BDB.exe File opened for modification C:\windows\system\IWQ.exe RJNDQQ.exe File opened for modification C:\windows\system\VUH.exe NEGFH.exe File created C:\windows\system\GBCKPBA.exe.bat IQZ.exe File created C:\windows\system\RUBRYTF.exe.bat LZCQ.exe File created C:\windows\system\JLGYFN.exe.bat DQHYBK.exe File created C:\windows\WUGNRE.exe BHBE.exe File opened for modification C:\windows\system\PJUTJF.exe UWPK.exe File opened for modification C:\windows\system\OAKI.exe WNZQBCP.exe File created C:\windows\WUDEM.exe.bat FLBY.exe File created C:\windows\system\FAUMR.exe UHRT.exe File created C:\windows\system\IWQ.exe RJNDQQ.exe File created C:\windows\KVDCVUL.exe EXS.exe File created C:\windows\VTDZIM.exe.bat PSWM.exe File created C:\windows\BEOHVVE.exe BRNSTQB.exe File opened for modification C:\windows\ESPGD.exe UUBMO.exe File created C:\windows\system\FQUTPU.exe BAOLDC.exe File created C:\windows\MMTOG.exe AUQ.exe File created C:\windows\BORZPEB.exe.bat ZQYXRP.exe File created C:\windows\system\TTS.exe ZYNPBT.exe File created C:\windows\KVDCVUL.exe.bat EXS.exe File opened for modification C:\windows\MJCCUX.exe VTDZIM.exe File created C:\windows\system\IWQ.exe.bat RJNDQQ.exe File created C:\windows\system\KPZIZA.exe.bat VUH.exe File opened for modification C:\windows\SKRMYK.exe ZHOI.exe File created C:\windows\system\PJUTJF.exe UWPK.exe File opened for modification C:\windows\system\JLGYFN.exe DQHYBK.exe File opened for modification C:\windows\MMTOG.exe AUQ.exe File opened for modification C:\windows\ZCLZYNV.exe OKIHPG.exe File created C:\windows\NPTIKZH.exe JHMAY.exe File created C:\windows\system\ARJEL.exe URBRU.exe File opened for modification C:\windows\LUN.exe LPM.exe File opened for modification C:\windows\KVDCVUL.exe EXS.exe File created C:\windows\system\OWEJKEX.exe KTFO.exe File created C:\windows\SODA.exe.bat AFB.exe File created C:\windows\system\ROXFP.exe ZGVA.exe File created C:\windows\WNZQBCP.exe CZDGZ.exe File created C:\windows\system\ECGCM.exe.bat IWIEF.exe File created C:\windows\system\AUKYC.exe.bat WME.exe File created C:\windows\NEGFH.exe AUKYC.exe File created C:\windows\system\AUQ.exe.bat XEJVMU.exe File created C:\windows\system\PLYCSG.exe UAP.exe File opened for modification C:\windows\system\VHTQYCW.exe IWX.exe File created C:\windows\system\RUBRYTF.exe LZCQ.exe File created C:\windows\IQZ.exe GSLIZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4072 828 WerFault.exe 82 3816 3064 WerFault.exe 90 2440 1492 WerFault.exe 96 4452 1340 WerFault.exe 101 4288 5100 WerFault.exe 106 3980 976 WerFault.exe 111 1524 4552 WerFault.exe 116 3588 4208 WerFault.exe 121 2752 3564 WerFault.exe 126 3040 3448 WerFault.exe 131 2700 4592 WerFault.exe 135 3408 1012 WerFault.exe 141 2380 4820 WerFault.exe 146 2180 4352 WerFault.exe 151 4256 1268 WerFault.exe 156 732 4932 WerFault.exe 161 4368 1428 WerFault.exe 166 2752 1412 WerFault.exe 171 1144 740 WerFault.exe 176 2700 448 WerFault.exe 180 3408 2484 WerFault.exe 186 4436 4668 WerFault.exe 191 2200 1340 WerFault.exe 196 884 4860 WerFault.exe 201 4460 2340 WerFault.exe 206 1808 1856 WerFault.exe 210 4964 3088 WerFault.exe 216 4808 3004 WerFault.exe 221 2988 1416 WerFault.exe 225 3192 1852 WerFault.exe 231 3024 4508 WerFault.exe 236 2180 4848 WerFault.exe 240 5104 1780 WerFault.exe 246 2584 3980 WerFault.exe 251 4368 2596 WerFault.exe 256 540 840 WerFault.exe 261 3960 4548 WerFault.exe 266 2968 2736 WerFault.exe 271 3400 2744 WerFault.exe 276 1868 448 WerFault.exe 282 2060 1556 WerFault.exe 290 2660 4256 WerFault.exe 295 4856 2588 WerFault.exe 300 1412 4724 WerFault.exe 305 1216 2276 WerFault.exe 311 872 2496 WerFault.exe 316 392 3400 WerFault.exe 321 4952 3052 WerFault.exe 326 1556 2252 WerFault.exe 331 4256 884 WerFault.exe 336 732 836 WerFault.exe 341 3836 2080 WerFault.exe 346 2704 1412 WerFault.exe 351 2128 1216 WerFault.exe 356 5048 2888 WerFault.exe 361 4992 2024 WerFault.exe 366 1340 3468 WerFault.exe 371 4068 4132 WerFault.exe 376 4892 2352 WerFault.exe 381 4416 3584 WerFault.exe 386 3004 804 WerFault.exe 391 1232 1460 WerFault.exe 396 5056 4944 WerFault.exe 401 752 2496 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LZCQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RIGORN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUICT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XND.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUBRYTF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NMU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AIDON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TOTOG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OWEJKEX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WAYMK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VHTQYCW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PSWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGFWI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MNXRNH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CWFLDSZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJSAJL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KPZIZA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XJCM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ESCN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JXUWBAP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AGAXPHS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NPA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FLBY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTDOMPM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 3064 WSXYATV.exe 3064 WSXYATV.exe 1492 NBLVNKY.exe 1492 NBLVNKY.exe 1340 RJNDQQ.exe 1340 RJNDQQ.exe 5100 IWQ.exe 5100 IWQ.exe 976 TOTOG.exe 976 TOTOG.exe 4552 NMU.exe 4552 NMU.exe 4208 XKA.exe 4208 XKA.exe 3564 WVDSCGC.exe 3564 WVDSCGC.exe 3448 JGTRQ.exe 3448 JGTRQ.exe 4592 BGV.exe 4592 BGV.exe 1012 KTFO.exe 1012 KTFO.exe 4820 OWEJKEX.exe 4820 OWEJKEX.exe 4352 JHMAY.exe 4352 JHMAY.exe 1268 NPTIKZH.exe 1268 NPTIKZH.exe 4932 TKSIP.exe 4932 TKSIP.exe 1428 AFB.exe 1428 AFB.exe 1412 SODA.exe 1412 SODA.exe 740 OLJPSE.exe 740 OLJPSE.exe 448 HON.exe 448 HON.exe 2484 RMSNFCT.exe 2484 RMSNFCT.exe 4668 AUU.exe 4668 AUU.exe 1340 KSI.exe 1340 KSI.exe 4860 FGFWI.exe 4860 FGFWI.exe 2340 LGNKR.exe 2340 LGNKR.exe 1856 FTRTCKJ.exe 1856 FTRTCKJ.exe 3088 JBGTGC.exe 3088 JBGTGC.exe 3004 UUBMO.exe 3004 UUBMO.exe 1416 ESPGD.exe 1416 ESPGD.exe 1852 OAJLHP.exe 1852 OAJLHP.exe 4508 ZSMEHXF.exe 4508 ZSMEHXF.exe 4848 DASET.exe 4848 DASET.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 3064 WSXYATV.exe 3064 WSXYATV.exe 1492 NBLVNKY.exe 1492 NBLVNKY.exe 1340 RJNDQQ.exe 1340 RJNDQQ.exe 5100 IWQ.exe 5100 IWQ.exe 976 TOTOG.exe 976 TOTOG.exe 4552 NMU.exe 4552 NMU.exe 4208 XKA.exe 4208 XKA.exe 3564 WVDSCGC.exe 3564 WVDSCGC.exe 3448 JGTRQ.exe 3448 JGTRQ.exe 4592 BGV.exe 4592 BGV.exe 1012 KTFO.exe 1012 KTFO.exe 4820 OWEJKEX.exe 4820 OWEJKEX.exe 4352 JHMAY.exe 4352 JHMAY.exe 1268 NPTIKZH.exe 1268 NPTIKZH.exe 4932 TKSIP.exe 4932 TKSIP.exe 1428 AFB.exe 1428 AFB.exe 1412 SODA.exe 1412 SODA.exe 740 OLJPSE.exe 740 OLJPSE.exe 448 HON.exe 448 HON.exe 2484 RMSNFCT.exe 2484 RMSNFCT.exe 4668 AUU.exe 4668 AUU.exe 1340 KSI.exe 1340 KSI.exe 4860 FGFWI.exe 4860 FGFWI.exe 2340 LGNKR.exe 2340 LGNKR.exe 1856 FTRTCKJ.exe 1856 FTRTCKJ.exe 3088 JBGTGC.exe 3088 JBGTGC.exe 3004 UUBMO.exe 3004 UUBMO.exe 1416 ESPGD.exe 1416 ESPGD.exe 1852 OAJLHP.exe 1852 OAJLHP.exe 4508 ZSMEHXF.exe 4508 ZSMEHXF.exe 4848 DASET.exe 4848 DASET.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 2948 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 86 PID 828 wrote to memory of 2948 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 86 PID 828 wrote to memory of 2948 828 dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe 86 PID 2948 wrote to memory of 3064 2948 cmd.exe 90 PID 2948 wrote to memory of 3064 2948 cmd.exe 90 PID 2948 wrote to memory of 3064 2948 cmd.exe 90 PID 3064 wrote to memory of 1496 3064 WSXYATV.exe 92 PID 3064 wrote to memory of 1496 3064 WSXYATV.exe 92 PID 3064 wrote to memory of 1496 3064 WSXYATV.exe 92 PID 1496 wrote to memory of 1492 1496 cmd.exe 96 PID 1496 wrote to memory of 1492 1496 cmd.exe 96 PID 1496 wrote to memory of 1492 1496 cmd.exe 96 PID 1492 wrote to memory of 760 1492 NBLVNKY.exe 97 PID 1492 wrote to memory of 760 1492 NBLVNKY.exe 97 PID 1492 wrote to memory of 760 1492 NBLVNKY.exe 97 PID 760 wrote to memory of 1340 760 cmd.exe 101 PID 760 wrote to memory of 1340 760 cmd.exe 101 PID 760 wrote to memory of 1340 760 cmd.exe 101 PID 1340 wrote to memory of 3008 1340 RJNDQQ.exe 102 PID 1340 wrote to memory of 3008 1340 RJNDQQ.exe 102 PID 1340 wrote to memory of 3008 1340 RJNDQQ.exe 102 PID 3008 wrote to memory of 5100 3008 cmd.exe 106 PID 3008 wrote to memory of 5100 3008 cmd.exe 106 PID 3008 wrote to memory of 5100 3008 cmd.exe 106 PID 5100 wrote to memory of 4496 5100 IWQ.exe 107 PID 5100 wrote to memory of 4496 5100 IWQ.exe 107 PID 5100 wrote to memory of 4496 5100 IWQ.exe 107 PID 4496 wrote to memory of 976 4496 cmd.exe 111 PID 4496 wrote to memory of 976 4496 cmd.exe 111 PID 4496 wrote to memory of 976 4496 cmd.exe 111 PID 976 wrote to memory of 3912 976 TOTOG.exe 112 PID 976 wrote to memory of 3912 976 TOTOG.exe 112 PID 976 wrote to memory of 3912 976 TOTOG.exe 112 PID 3912 wrote to memory of 4552 3912 cmd.exe 116 PID 3912 wrote to memory of 4552 3912 cmd.exe 116 PID 3912 wrote to memory of 4552 3912 cmd.exe 116 PID 4552 wrote to memory of 3340 4552 NMU.exe 117 PID 4552 wrote to memory of 3340 4552 NMU.exe 117 PID 4552 wrote to memory of 3340 4552 NMU.exe 117 PID 3340 wrote to memory of 4208 3340 cmd.exe 121 PID 3340 wrote to memory of 4208 3340 cmd.exe 121 PID 3340 wrote to memory of 4208 3340 cmd.exe 121 PID 4208 wrote to memory of 3556 4208 XKA.exe 122 PID 4208 wrote to memory of 3556 4208 XKA.exe 122 PID 4208 wrote to memory of 3556 4208 XKA.exe 122 PID 3556 wrote to memory of 3564 3556 cmd.exe 126 PID 3556 wrote to memory of 3564 3556 cmd.exe 126 PID 3556 wrote to memory of 3564 3556 cmd.exe 126 PID 3564 wrote to memory of 4416 3564 WVDSCGC.exe 127 PID 3564 wrote to memory of 4416 3564 WVDSCGC.exe 127 PID 3564 wrote to memory of 4416 3564 WVDSCGC.exe 127 PID 4416 wrote to memory of 3448 4416 cmd.exe 131 PID 4416 wrote to memory of 3448 4416 cmd.exe 131 PID 4416 wrote to memory of 3448 4416 cmd.exe 131 PID 3448 wrote to memory of 2096 3448 JGTRQ.exe 132 PID 3448 wrote to memory of 2096 3448 JGTRQ.exe 132 PID 3448 wrote to memory of 2096 3448 JGTRQ.exe 132 PID 2096 wrote to memory of 4592 2096 cmd.exe 135 PID 2096 wrote to memory of 4592 2096 cmd.exe 135 PID 2096 wrote to memory of 4592 2096 cmd.exe 135 PID 4592 wrote to memory of 2888 4592 BGV.exe 137 PID 4592 wrote to memory of 2888 4592 BGV.exe 137 PID 4592 wrote to memory of 2888 4592 BGV.exe 137 PID 2888 wrote to memory of 1012 2888 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe"C:\Users\Admin\AppData\Local\Temp\dcb8de0cb3c5816d483119a3c51d635b3b8889de72462bb387e96269ca808ceaN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WSXYATV.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\windows\system\WSXYATV.exeC:\windows\system\WSXYATV.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NBLVNKY.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\windows\system\NBLVNKY.exeC:\windows\system\NBLVNKY.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RJNDQQ.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\windows\system\RJNDQQ.exeC:\windows\system\RJNDQQ.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IWQ.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\windows\system\IWQ.exeC:\windows\system\IWQ.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TOTOG.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\windows\system\TOTOG.exeC:\windows\system\TOTOG.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMU.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\windows\NMU.exeC:\windows\NMU.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XKA.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\windows\system\XKA.exeC:\windows\system\XKA.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVDSCGC.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\windows\SysWOW64\WVDSCGC.exeC:\windows\system32\WVDSCGC.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JGTRQ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\windows\JGTRQ.exeC:\windows\JGTRQ.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BGV.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\windows\SysWOW64\BGV.exeC:\windows\system32\BGV.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KTFO.exe.bat" "22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\windows\KTFO.exeC:\windows\KTFO.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWEJKEX.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\windows\system\OWEJKEX.exeC:\windows\system\OWEJKEX.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JHMAY.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\windows\JHMAY.exeC:\windows\JHMAY.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NPTIKZH.exe.bat" "28⤵PID:4236
-
C:\windows\NPTIKZH.exeC:\windows\NPTIKZH.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKSIP.exe.bat" "30⤵PID:3632
-
C:\windows\system\TKSIP.exeC:\windows\system\TKSIP.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AFB.exe.bat" "32⤵PID:1104
-
C:\windows\system\AFB.exeC:\windows\system\AFB.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SODA.exe.bat" "34⤵PID:1136
-
C:\windows\SODA.exeC:\windows\SODA.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OLJPSE.exe.bat" "36⤵PID:3552
-
C:\windows\OLJPSE.exeC:\windows\OLJPSE.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HON.exe.bat" "38⤵PID:3836
-
C:\windows\HON.exeC:\windows\HON.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RMSNFCT.exe.bat" "40⤵PID:2212
-
C:\windows\RMSNFCT.exeC:\windows\RMSNFCT.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AUU.exe.bat" "42⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\windows\AUU.exeC:\windows\AUU.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSI.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\windows\SysWOW64\KSI.exeC:\windows\system32\KSI.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGFWI.exe.bat" "46⤵PID:844
-
C:\windows\SysWOW64\FGFWI.exeC:\windows\system32\FGFWI.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGNKR.exe.bat" "48⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\windows\system\LGNKR.exeC:\windows\system\LGNKR.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTRTCKJ.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\windows\SysWOW64\FTRTCKJ.exeC:\windows\system32\FTRTCKJ.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JBGTGC.exe.bat" "52⤵PID:840
-
C:\windows\system\JBGTGC.exeC:\windows\system\JBGTGC.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UUBMO.exe.bat" "54⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\windows\SysWOW64\UUBMO.exeC:\windows\system32\UUBMO.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ESPGD.exe.bat" "56⤵PID:3068
-
C:\windows\ESPGD.exeC:\windows\ESPGD.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OAJLHP.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\windows\OAJLHP.exeC:\windows\OAJLHP.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZSMEHXF.exe.bat" "60⤵PID:4768
-
C:\windows\system\ZSMEHXF.exeC:\windows\system\ZSMEHXF.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DASET.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:4364 -
C:\windows\SysWOW64\DASET.exeC:\windows\system32\DASET.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLWKZG.exe.bat" "64⤵PID:1868
-
C:\windows\SysWOW64\QLWKZG.exeC:\windows\system32\QLWKZG.exe65⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WME.exe.bat" "66⤵PID:4400
-
C:\windows\WME.exeC:\windows\WME.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AUKYC.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\windows\system\AUKYC.exeC:\windows\system\AUKYC.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NEGFH.exe.bat" "70⤵PID:2340
-
C:\windows\NEGFH.exeC:\windows\NEGFH.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VUH.exe.bat" "72⤵PID:3964
-
C:\windows\system\VUH.exeC:\windows\system\VUH.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KPZIZA.exe.bat" "74⤵PID:4812
-
C:\windows\system\KPZIZA.exeC:\windows\system\KPZIZA.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BYTNCYN.exe.bat" "76⤵PID:3004
-
C:\windows\system\BYTNCYN.exeC:\windows\system\BYTNCYN.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OBJMQ.exe.bat" "78⤵PID:2112
-
C:\windows\system\OBJMQ.exeC:\windows\system\OBJMQ.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FLACQ.exe.bat" "80⤵PID:752
-
C:\windows\SysWOW64\FLACQ.exeC:\windows\system32\FLACQ.exe81⤵
- Checks computer location settings
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMHQZXF.exe.bat" "82⤵PID:4672
-
C:\windows\SysWOW64\LMHQZXF.exeC:\windows\system32\LMHQZXF.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "84⤵PID:1104
-
C:\windows\MPLT.exeC:\windows\MPLT.exe85⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ESP.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\windows\SysWOW64\ESP.exeC:\windows\system32\ESP.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KSXDBF.exe.bat" "88⤵PID:4416
-
C:\windows\SysWOW64\KSXDBF.exeC:\windows\system32\KSXDBF.exe89⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AIDON.exe.bat" "90⤵PID:3012
-
C:\windows\AIDON.exeC:\windows\AIDON.exe91⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TDV.exe.bat" "92⤵PID:5084
-
C:\windows\system\TDV.exeC:\windows\system\TDV.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJBOY.exe.bat" "94⤵PID:3956
-
C:\windows\SysWOW64\QJBOY.exeC:\windows\system32\QJBOY.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEK.exe.bat" "96⤵PID:2192
-
C:\windows\SysWOW64\FEK.exeC:\windows\system32\FEK.exe97⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHOWO.exe.bat" "98⤵PID:2456
-
C:\windows\SysWOW64\YHOWO.exeC:\windows\system32\YHOWO.exe99⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JXUWBAP.exe.bat" "100⤵PID:1508
-
C:\windows\JXUWBAP.exeC:\windows\JXUWBAP.exe101⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CSYSOY.exe.bat" "102⤵PID:5004
-
C:\windows\SysWOW64\CSYSOY.exeC:\windows\system32\CSYSOY.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XND.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\windows\SysWOW64\XND.exeC:\windows\system32\XND.exe105⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HDRWGGO.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\windows\SysWOW64\HDRWGGO.exeC:\windows\system32\HDRWGGO.exe107⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZGVA.exe.bat" "108⤵PID:3224
-
C:\windows\ZGVA.exeC:\windows\ZGVA.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ROXFP.exe.bat" "110⤵PID:2332
-
C:\windows\system\ROXFP.exeC:\windows\system\ROXFP.exe111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERFDD.exe.bat" "112⤵PID:4448
-
C:\windows\SysWOW64\ERFDD.exeC:\windows\system32\ERFDD.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKITMKJ.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\windows\SysWOW64\DKITMKJ.exeC:\windows\system32\DKITMKJ.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHOI.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\windows\system\ZHOI.exeC:\windows\system\ZHOI.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SKRMYK.exe.bat" "118⤵PID:1524
-
C:\windows\SKRMYK.exeC:\windows\SKRMYK.exe119⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "120⤵PID:1136
-
C:\windows\system\WAYMK.exeC:\windows\system\WAYMK.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-