Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 16:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe
-
Size
208KB
-
MD5
4f30279f477f92107cc60758c9c739c0
-
SHA1
d25089900cc5621913083f3ffd25dad97f4a117a
-
SHA256
9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dc
-
SHA512
522b4b8863d5e39481b1a4cb8ac0735ede69f04211eb55d1de74ed3616253a4fa14e38cb9d107db73fe78b33157e17912421b4981ecfe22105d05b7ab880a7f7
-
SSDEEP
6144:FMvNHNsg3SANUmQqeapjieA4oXS7Q7QEj+:FM1H1IUeapjiGoXS7Q7QB
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation QDWC.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ZTDUYCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WNMYJBK.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation TJKUTRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ALPDSE.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JXESQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MICZW.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ULWKK.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation BXR.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OJNAPM.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CQTRYGC.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation TED.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WKT.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LKF.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ZLDJT.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CQZO.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OUNK.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation GIEV.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CBHTXKB.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation TJDYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OWC.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CGL.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ERNMRQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation USZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RYWVUAK.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation XVHF.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation UMPNWN.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WIUJHO.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HPFYB.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ZJXCQL.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation THCT.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MOCZMO.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation PXSHCPA.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation YPV.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation GAWKKL.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation KZI.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation SNPHD.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CEHNOYX.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LPUAWJF.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ZBJLKUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation SCGDL.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation VRJGAQE.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation OUKAQD.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation FUEBBIE.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation BIP.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation AZNDXDB.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JKSNGBZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation EGQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation TTTNWV.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MOUFXD.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation SYZLKA.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LVVOY.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation GLASQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation XDEXE.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MNHH.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation KBI.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WGSD.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ICIPW.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation QAHG.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HCYCL.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation PIYICTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation SOB.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JXD.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation MJGFATW.exe -
Executes dropped EXE 64 IoCs
pid Process 1084 EHDNSXM.exe 1924 KDOOYM.exe 1376 QDWC.exe 2860 MICZW.exe 1284 MOUFXD.exe 4872 SOB.exe 3412 UMPNWN.exe 4240 GUW.exe 2492 GAWKKL.exe 4080 ZADV.exe 4428 SVH.exe 3616 FGXPNM.exe 740 LBXQ.exe 2412 FUEBBIE.exe 4720 UKFAH.exe 3596 PXKKSDQ.exe 3068 OQTLGIW.exe 4700 SYZLKA.exe 3088 YTYMODI.exe 2768 TGDV.exe 2604 MZLG.exe 2932 WHNTU.exe 3584 NUX.exe 3260 YNAW.exe 4488 ULGT.exe 4580 CBHTXKB.exe 872 IBOGG.exe 4700 KZI.exe 4840 UXV.exe 1688 MAZZI.exe 2948 ICIPW.exe 4060 AFLTBAZ.exe 3884 BIP.exe 4968 ZJXCQL.exe 4752 HOXRZY.exe 4480 AZNDXDB.exe 2068 JAPIA.exe 3632 ENUSKIS.exe 912 CLBDOT.exe 2272 CQTRYGC.exe 1504 TED.exe 4240 TJDYPQ.exe 2600 OXIHRQI.exe 1736 SNPHD.exe 3168 JNRMHG.exe 4840 EAW.exe 2140 TDFIKS.exe 2948 CEHNOYX.exe 1876 OWC.exe 4308 IJHPY.exe 2180 VULO.exe 3356 LPUAWJF.exe 1636 LVVOY.exe 2260 QVCCH.exe 1316 ULWKK.exe 4928 IOF.exe 3972 KMGD.exe 1788 VJJJR.exe 1916 XHL.exe 1184 BXR.exe 1256 BSVGP.exe 4760 ZTDUYCQ.exe 2968 QBF.exe 3360 LOKRM.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\TJKUTRJ.exe.bat XDEXE.exe File opened for modification C:\windows\SysWOW64\GBMQQF.exe MNHH.exe File created C:\windows\SysWOW64\WHNTU.exe.bat MZLG.exe File created C:\windows\SysWOW64\AZNDXDB.exe.bat LEEZ.exe File created C:\windows\SysWOW64\EAW.exe JNRMHG.exe File opened for modification C:\windows\SysWOW64\EAW.exe JNRMHG.exe File created C:\windows\SysWOW64\BSVGP.exe BXR.exe File created C:\windows\SysWOW64\TJKUTRJ.exe XDEXE.exe File created C:\windows\SysWOW64\YPV.exe.bat SPNOBP.exe File opened for modification C:\windows\SysWOW64\XVHF.exe JKQP.exe File created C:\windows\SysWOW64\OQTLGIW.exe.bat PXKKSDQ.exe File created C:\windows\SysWOW64\MZLG.exe.bat TGDV.exe File opened for modification C:\windows\SysWOW64\KMGD.exe IOF.exe File created C:\windows\SysWOW64\OJNAPM.exe.bat YOE.exe File created C:\windows\SysWOW64\WGSD.exe.bat EGQ.exe File created C:\windows\SysWOW64\AXCNWF.exe.bat UKD.exe File created C:\windows\SysWOW64\GBMQQF.exe MNHH.exe File created C:\windows\SysWOW64\MHUS.exe.bat VGSNXPW.exe File created C:\windows\SysWOW64\VTYJNGR.exe.bat OYOF.exe File created C:\windows\SysWOW64\EFPOU.exe PKFBJVK.exe File opened for modification C:\windows\SysWOW64\PXSHCPA.exe EFPOU.exe File opened for modification C:\windows\SysWOW64\JHMLVOT.exe JXESQ.exe File opened for modification C:\windows\SysWOW64\LBXQ.exe FGXPNM.exe File opened for modification C:\windows\SysWOW64\OQTLGIW.exe PXKKSDQ.exe File created C:\windows\SysWOW64\JNRMHG.exe.bat SNPHD.exe File opened for modification C:\windows\SysWOW64\WIUJHO.exe JXD.exe File created C:\windows\SysWOW64\OJNAPM.exe YOE.exe File opened for modification C:\windows\SysWOW64\PKFBJVK.exe HWFNHIH.exe File opened for modification C:\windows\SysWOW64\WGSD.exe EGQ.exe File created C:\windows\SysWOW64\IJHPY.exe OWC.exe File created C:\windows\SysWOW64\HCYCL.exe MHUS.exe File opened for modification C:\windows\SysWOW64\CSIYNT.exe OHZ.exe File created C:\windows\SysWOW64\YZJ.exe.bat COAMS.exe File opened for modification C:\windows\SysWOW64\AZNDXDB.exe LEEZ.exe File created C:\windows\SysWOW64\MMOQ.exe TJKUTRJ.exe File opened for modification C:\windows\SysWOW64\AVE.exe QXYUQ.exe File opened for modification C:\windows\SysWOW64\GIEV.exe WICQBB.exe File created C:\windows\SysWOW64\WHNTU.exe MZLG.exe File created C:\windows\SysWOW64\GIEV.exe WICQBB.exe File created C:\windows\SysWOW64\WIUJHO.exe JXD.exe File opened for modification C:\windows\SysWOW64\EFPOU.exe PKFBJVK.exe File created C:\windows\SysWOW64\AXCNWF.exe UKD.exe File created C:\windows\SysWOW64\MJGFATW.exe.bat OUNK.exe File created C:\windows\SysWOW64\CSIYNT.exe.bat OHZ.exe File opened for modification C:\windows\SysWOW64\QDWC.exe KDOOYM.exe File created C:\windows\SysWOW64\AFLTBAZ.exe ICIPW.exe File opened for modification C:\windows\SysWOW64\TJDYPQ.exe TED.exe File created C:\windows\SysWOW64\PKQ.exe ERNMRQQ.exe File created C:\windows\SysWOW64\THCT.exe.bat ZUY.exe File opened for modification C:\windows\SysWOW64\HPFYB.exe VWCF.exe File created C:\windows\SysWOW64\XVHF.exe JKQP.exe File created C:\windows\SysWOW64\UKD.exe OJVZIH.exe File created C:\windows\SysWOW64\GLASQJ.exe.bat WNMYJBK.exe File created C:\windows\SysWOW64\WGSD.exe EGQ.exe File created C:\windows\SysWOW64\MZLG.exe TGDV.exe File opened for modification C:\windows\SysWOW64\MZLG.exe TGDV.exe File created C:\windows\SysWOW64\NUX.exe WHNTU.exe File created C:\windows\SysWOW64\EFPOU.exe.bat PKFBJVK.exe File created C:\windows\SysWOW64\YZJ.exe COAMS.exe File created C:\windows\SysWOW64\UKFAH.exe FUEBBIE.exe File created C:\windows\SysWOW64\AFLTBAZ.exe.bat ICIPW.exe File created C:\windows\SysWOW64\JNRMHG.exe SNPHD.exe File opened for modification C:\windows\SysWOW64\HCYCL.exe MHUS.exe File created C:\windows\SysWOW64\QDWC.exe KDOOYM.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\PXKKSDQ.exe.bat UKFAH.exe File created C:\windows\TDFIKS.exe EAW.exe File created C:\windows\VRJGAQE.exe ZLDJT.exe File created C:\windows\ZGO.exe.bat KBI.exe File created C:\windows\system\TTTNWV.exe ZGO.exe File created C:\windows\system\JXD.exe THCT.exe File created C:\windows\system\SCGDL.exe.bat LKF.exe File created C:\windows\system\BIP.exe.bat AFLTBAZ.exe File created C:\windows\system\OWC.exe CEHNOYX.exe File created C:\windows\BXR.exe.bat XHL.exe File opened for modification C:\windows\system\ERNMRQQ.exe LOKRM.exe File opened for modification C:\windows\system\FIENY.exe QFUBFVH.exe File created C:\windows\FUEBBIE.exe LBXQ.exe File created C:\windows\system\CQZO.exe RYWVUAK.exe File opened for modification C:\windows\VRJGAQE.exe ZLDJT.exe File created C:\windows\system\TED.exe CQTRYGC.exe File created C:\windows\QDTIGD.exe.bat WQOR.exe File created C:\windows\system\JXESQ.exe QUMGLFV.exe File created C:\windows\MAZZI.exe UXV.exe File created C:\windows\system\FIENY.exe QFUBFVH.exe File opened for modification C:\windows\ZUY.exe LRPLW.exe File created C:\windows\system\SPNOBP.exe KZM.exe File created C:\windows\system\COAMS.exe.bat IBV.exe File opened for modification C:\windows\system\PGMOQ.exe VSH.exe File created C:\windows\CEHNOYX.exe.bat TDFIKS.exe File opened for modification C:\windows\QFUBFVH.exe PKQ.exe File opened for modification C:\windows\QXYUQ.exe WKT.exe File created C:\windows\VIFWTVA.exe PIYICTZ.exe File created C:\windows\ZLDJT.exe VIFWTVA.exe File created C:\windows\MOUFXD.exe MICZW.exe File created C:\windows\system\FIENY.exe.bat QFUBFVH.exe File created C:\windows\PIYICTZ.exe.bat SCALV.exe File opened for modification C:\windows\system\KGYWM.exe XIQLCI.exe File opened for modification C:\windows\QDTIGD.exe WQOR.exe File created C:\windows\KZM.exe MOCZMO.exe File created C:\windows\system\OHZ.exe MJGFATW.exe File opened for modification C:\windows\system\SOB.exe MOUFXD.exe File opened for modification C:\windows\system\CBHTXKB.exe ULGT.exe File created C:\windows\system\ENUSKIS.exe JAPIA.exe File created C:\windows\system\CLBDOT.exe.bat ENUSKIS.exe File opened for modification C:\windows\system\CQTRYGC.exe CLBDOT.exe File created C:\windows\system\EXXX.exe JKSNGBZ.exe File opened for modification C:\windows\system\LKF.exe HCYCL.exe File created C:\windows\RUDOQ.exe LUV.exe File opened for modification C:\windows\MOUFXD.exe MICZW.exe File opened for modification C:\windows\FUEBBIE.exe LBXQ.exe File opened for modification C:\windows\UXV.exe KZI.exe File opened for modification C:\windows\BXVC.exe OMRWU.exe File opened for modification C:\windows\XDEXE.exe CQZO.exe File created C:\windows\OXIHRQI.exe.bat TJDYPQ.exe File created C:\windows\QXYUQ.exe WKT.exe File created C:\windows\ZLDJT.exe.bat VIFWTVA.exe File opened for modification C:\windows\JKSNGBZ.exe FUMFT.exe File created C:\windows\LUV.exe.bat TTTNWV.exe File created C:\windows\EABTVR.exe EXXX.exe File created C:\windows\system\TTTNWV.exe.bat ZGO.exe File created C:\windows\system\KZI.exe.bat IBOGG.exe File opened for modification C:\windows\ICIPW.exe MAZZI.exe File opened for modification C:\windows\OYOF.exe CGL.exe File created C:\windows\VIFWTVA.exe.bat PIYICTZ.exe File created C:\windows\XIQLCI.exe.bat CVUBA.exe File created C:\windows\CEHNOYX.exe TDFIKS.exe File opened for modification C:\windows\QAHG.exe FIENY.exe File opened for modification C:\windows\BCJHLDX.exe HPFYB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3416 1964 WerFault.exe 82 872 1084 WerFault.exe 90 1792 1924 WerFault.exe 96 3500 1376 WerFault.exe 101 2820 2860 WerFault.exe 106 960 1284 WerFault.exe 111 2780 4872 WerFault.exe 116 4388 3412 WerFault.exe 121 3400 4240 WerFault.exe 126 2124 2492 WerFault.exe 131 1268 4080 WerFault.exe 136 1424 4428 WerFault.exe 141 1464 3616 WerFault.exe 146 2940 740 WerFault.exe 151 3384 2412 WerFault.exe 156 4316 4720 WerFault.exe 161 1768 3596 WerFault.exe 166 3912 3068 WerFault.exe 171 1556 4700 WerFault.exe 176 716 3088 WerFault.exe 181 3432 2768 WerFault.exe 186 1836 2604 WerFault.exe 191 3100 2932 WerFault.exe 196 4800 3584 WerFault.exe 201 1960 3260 WerFault.exe 206 4440 4488 WerFault.exe 211 2524 4580 WerFault.exe 216 1828 872 WerFault.exe 221 2900 4700 WerFault.exe 226 1324 4840 WerFault.exe 231 1724 1688 WerFault.exe 236 2704 2948 WerFault.exe 241 4016 4060 WerFault.exe 246 700 3884 WerFault.exe 251 1844 4968 WerFault.exe 256 2076 4752 WerFault.exe 261 3184 3068 WerFault.exe 266 1580 4480 WerFault.exe 271 1276 2068 WerFault.exe 276 2940 3632 WerFault.exe 283 1600 912 WerFault.exe 288 3260 2272 WerFault.exe 293 4488 1504 WerFault.exe 298 2316 4240 WerFault.exe 303 4280 2600 WerFault.exe 308 4640 1736 WerFault.exe 313 1304 3168 WerFault.exe 318 2028 4840 WerFault.exe 323 1696 2140 WerFault.exe 328 2604 2948 WerFault.exe 333 3260 1876 WerFault.exe 338 4488 4308 WerFault.exe 343 552 2180 WerFault.exe 348 220 3356 WerFault.exe 353 2120 1636 WerFault.exe 358 544 2260 WerFault.exe 364 4092 1316 WerFault.exe 369 3956 4928 WerFault.exe 374 4872 3972 WerFault.exe 379 3768 1788 WerFault.exe 384 4836 1916 WerFault.exe 389 4748 1184 WerFault.exe 394 3224 1256 WerFault.exe 399 3916 4760 WerFault.exe 404 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OMRWU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AVE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KZM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JNRMHG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MOUFXD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UMPNWN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GUW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NUX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IJHPY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WNMYJBK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSIYNT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CVUBA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XIQLCI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JHMLVOT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WGSD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UKFAH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UXV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCGDL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCJHLDX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HWFNHIH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YTYMODI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WIUJHO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BXVC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OJVZIH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LBXQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YPV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LKF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VSH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 1084 EHDNSXM.exe 1084 EHDNSXM.exe 1924 KDOOYM.exe 1924 KDOOYM.exe 1376 QDWC.exe 1376 QDWC.exe 2860 MICZW.exe 2860 MICZW.exe 1284 MOUFXD.exe 1284 MOUFXD.exe 4872 SOB.exe 4872 SOB.exe 3412 UMPNWN.exe 3412 UMPNWN.exe 4240 GUW.exe 4240 GUW.exe 2492 GAWKKL.exe 2492 GAWKKL.exe 4080 ZADV.exe 4080 ZADV.exe 4428 SVH.exe 4428 SVH.exe 3616 FGXPNM.exe 3616 FGXPNM.exe 740 LBXQ.exe 740 LBXQ.exe 2412 FUEBBIE.exe 2412 FUEBBIE.exe 4720 UKFAH.exe 4720 UKFAH.exe 3596 PXKKSDQ.exe 3596 PXKKSDQ.exe 3068 OQTLGIW.exe 3068 OQTLGIW.exe 4700 SYZLKA.exe 4700 SYZLKA.exe 3088 YTYMODI.exe 3088 YTYMODI.exe 2768 TGDV.exe 2768 TGDV.exe 2604 MZLG.exe 2604 MZLG.exe 2932 WHNTU.exe 2932 WHNTU.exe 3584 NUX.exe 3584 NUX.exe 3260 YNAW.exe 3260 YNAW.exe 4488 ULGT.exe 4488 ULGT.exe 4580 CBHTXKB.exe 4580 CBHTXKB.exe 872 IBOGG.exe 872 IBOGG.exe 4700 KZI.exe 4700 KZI.exe 4840 UXV.exe 4840 UXV.exe 1688 MAZZI.exe 1688 MAZZI.exe 2948 ICIPW.exe 2948 ICIPW.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 1084 EHDNSXM.exe 1084 EHDNSXM.exe 1924 KDOOYM.exe 1924 KDOOYM.exe 1376 QDWC.exe 1376 QDWC.exe 2860 MICZW.exe 2860 MICZW.exe 1284 MOUFXD.exe 1284 MOUFXD.exe 4872 SOB.exe 4872 SOB.exe 3412 UMPNWN.exe 3412 UMPNWN.exe 4240 GUW.exe 4240 GUW.exe 2492 GAWKKL.exe 2492 GAWKKL.exe 4080 ZADV.exe 4080 ZADV.exe 4428 SVH.exe 4428 SVH.exe 3616 FGXPNM.exe 3616 FGXPNM.exe 740 LBXQ.exe 740 LBXQ.exe 2412 FUEBBIE.exe 2412 FUEBBIE.exe 4720 UKFAH.exe 4720 UKFAH.exe 3596 PXKKSDQ.exe 3596 PXKKSDQ.exe 3068 OQTLGIW.exe 3068 OQTLGIW.exe 4700 SYZLKA.exe 4700 SYZLKA.exe 3088 YTYMODI.exe 3088 YTYMODI.exe 2768 TGDV.exe 2768 TGDV.exe 2604 MZLG.exe 2604 MZLG.exe 2932 WHNTU.exe 2932 WHNTU.exe 3584 NUX.exe 3584 NUX.exe 3260 YNAW.exe 3260 YNAW.exe 4488 ULGT.exe 4488 ULGT.exe 4580 CBHTXKB.exe 4580 CBHTXKB.exe 872 IBOGG.exe 872 IBOGG.exe 4700 KZI.exe 4700 KZI.exe 4840 UXV.exe 4840 UXV.exe 1688 MAZZI.exe 1688 MAZZI.exe 2948 ICIPW.exe 2948 ICIPW.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1672 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 86 PID 1964 wrote to memory of 1672 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 86 PID 1964 wrote to memory of 1672 1964 9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe 86 PID 1672 wrote to memory of 1084 1672 cmd.exe 90 PID 1672 wrote to memory of 1084 1672 cmd.exe 90 PID 1672 wrote to memory of 1084 1672 cmd.exe 90 PID 1084 wrote to memory of 2428 1084 EHDNSXM.exe 92 PID 1084 wrote to memory of 2428 1084 EHDNSXM.exe 92 PID 1084 wrote to memory of 2428 1084 EHDNSXM.exe 92 PID 2428 wrote to memory of 1924 2428 cmd.exe 96 PID 2428 wrote to memory of 1924 2428 cmd.exe 96 PID 2428 wrote to memory of 1924 2428 cmd.exe 96 PID 1924 wrote to memory of 1644 1924 KDOOYM.exe 97 PID 1924 wrote to memory of 1644 1924 KDOOYM.exe 97 PID 1924 wrote to memory of 1644 1924 KDOOYM.exe 97 PID 1644 wrote to memory of 1376 1644 cmd.exe 101 PID 1644 wrote to memory of 1376 1644 cmd.exe 101 PID 1644 wrote to memory of 1376 1644 cmd.exe 101 PID 1376 wrote to memory of 3060 1376 QDWC.exe 102 PID 1376 wrote to memory of 3060 1376 QDWC.exe 102 PID 1376 wrote to memory of 3060 1376 QDWC.exe 102 PID 3060 wrote to memory of 2860 3060 cmd.exe 106 PID 3060 wrote to memory of 2860 3060 cmd.exe 106 PID 3060 wrote to memory of 2860 3060 cmd.exe 106 PID 2860 wrote to memory of 1064 2860 MICZW.exe 107 PID 2860 wrote to memory of 1064 2860 MICZW.exe 107 PID 2860 wrote to memory of 1064 2860 MICZW.exe 107 PID 1064 wrote to memory of 1284 1064 cmd.exe 111 PID 1064 wrote to memory of 1284 1064 cmd.exe 111 PID 1064 wrote to memory of 1284 1064 cmd.exe 111 PID 1284 wrote to memory of 2144 1284 MOUFXD.exe 112 PID 1284 wrote to memory of 2144 1284 MOUFXD.exe 112 PID 1284 wrote to memory of 2144 1284 MOUFXD.exe 112 PID 2144 wrote to memory of 4872 2144 cmd.exe 116 PID 2144 wrote to memory of 4872 2144 cmd.exe 116 PID 2144 wrote to memory of 4872 2144 cmd.exe 116 PID 4872 wrote to memory of 3576 4872 SOB.exe 117 PID 4872 wrote to memory of 3576 4872 SOB.exe 117 PID 4872 wrote to memory of 3576 4872 SOB.exe 117 PID 3576 wrote to memory of 3412 3576 cmd.exe 121 PID 3576 wrote to memory of 3412 3576 cmd.exe 121 PID 3576 wrote to memory of 3412 3576 cmd.exe 121 PID 3412 wrote to memory of 4308 3412 UMPNWN.exe 122 PID 3412 wrote to memory of 4308 3412 UMPNWN.exe 122 PID 3412 wrote to memory of 4308 3412 UMPNWN.exe 122 PID 4308 wrote to memory of 4240 4308 cmd.exe 126 PID 4308 wrote to memory of 4240 4308 cmd.exe 126 PID 4308 wrote to memory of 4240 4308 cmd.exe 126 PID 4240 wrote to memory of 1672 4240 GUW.exe 127 PID 4240 wrote to memory of 1672 4240 GUW.exe 127 PID 4240 wrote to memory of 1672 4240 GUW.exe 127 PID 1672 wrote to memory of 2492 1672 cmd.exe 131 PID 1672 wrote to memory of 2492 1672 cmd.exe 131 PID 1672 wrote to memory of 2492 1672 cmd.exe 131 PID 2492 wrote to memory of 2248 2492 GAWKKL.exe 132 PID 2492 wrote to memory of 2248 2492 GAWKKL.exe 132 PID 2492 wrote to memory of 2248 2492 GAWKKL.exe 132 PID 2248 wrote to memory of 4080 2248 cmd.exe 136 PID 2248 wrote to memory of 4080 2248 cmd.exe 136 PID 2248 wrote to memory of 4080 2248 cmd.exe 136 PID 4080 wrote to memory of 368 4080 ZADV.exe 137 PID 4080 wrote to memory of 368 4080 ZADV.exe 137 PID 4080 wrote to memory of 368 4080 ZADV.exe 137 PID 368 wrote to memory of 4428 368 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe"C:\Users\Admin\AppData\Local\Temp\9dc4ae8b5becf436eb3377394db47b2088c786c5f7b0ccdaaeefcef9282f31dcN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EHDNSXM.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\windows\EHDNSXM.exeC:\windows\EHDNSXM.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KDOOYM.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\windows\KDOOYM.exeC:\windows\KDOOYM.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QDWC.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\windows\SysWOW64\QDWC.exeC:\windows\system32\QDWC.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MICZW.exe.bat" "8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\windows\SysWOW64\MICZW.exeC:\windows\system32\MICZW.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MOUFXD.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\windows\MOUFXD.exeC:\windows\MOUFXD.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SOB.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\windows\system\SOB.exeC:\windows\system\SOB.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UMPNWN.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\windows\UMPNWN.exeC:\windows\UMPNWN.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GUW.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\windows\GUW.exeC:\windows\GUW.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GAWKKL.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\windows\system\GAWKKL.exeC:\windows\system\GAWKKL.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZADV.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\windows\SysWOW64\ZADV.exeC:\windows\system32\ZADV.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SVH.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\windows\system\SVH.exeC:\windows\system\SVH.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FGXPNM.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\windows\FGXPNM.exeC:\windows\FGXPNM.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBXQ.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\windows\SysWOW64\LBXQ.exeC:\windows\system32\LBXQ.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FUEBBIE.exe.bat" "28⤵PID:3376
-
C:\windows\FUEBBIE.exeC:\windows\FUEBBIE.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "30⤵PID:3756
-
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PXKKSDQ.exe.bat" "32⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\windows\system\PXKKSDQ.exeC:\windows\system\PXKKSDQ.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQTLGIW.exe.bat" "34⤵PID:4732
-
C:\windows\SysWOW64\OQTLGIW.exeC:\windows\system32\OQTLGIW.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SYZLKA.exe.bat" "36⤵PID:3400
-
C:\windows\system\SYZLKA.exeC:\windows\system\SYZLKA.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YTYMODI.exe.bat" "38⤵PID:2124
-
C:\windows\YTYMODI.exeC:\windows\YTYMODI.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TGDV.exe.bat" "40⤵PID:1268
-
C:\windows\system\TGDV.exeC:\windows\system\TGDV.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MZLG.exe.bat" "42⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\windows\SysWOW64\MZLG.exeC:\windows\system32\MZLG.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WHNTU.exe.bat" "44⤵PID:1464
-
C:\windows\SysWOW64\WHNTU.exeC:\windows\system32\WHNTU.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NUX.exe.bat" "46⤵PID:1988
-
C:\windows\SysWOW64\NUX.exeC:\windows\system32\NUX.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YNAW.exe.bat" "48⤵PID:4884
-
C:\windows\system\YNAW.exeC:\windows\system\YNAW.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ULGT.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\windows\ULGT.exeC:\windows\ULGT.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CBHTXKB.exe.bat" "52⤵PID:2168
-
C:\windows\system\CBHTXKB.exeC:\windows\system\CBHTXKB.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IBOGG.exe.bat" "54⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\windows\IBOGG.exeC:\windows\IBOGG.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KZI.exe.bat" "56⤵PID:1400
-
C:\windows\system\KZI.exeC:\windows\system\KZI.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UXV.exe.bat" "58⤵PID:4640
-
C:\windows\UXV.exeC:\windows\UXV.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MAZZI.exe.bat" "60⤵PID:4784
-
C:\windows\MAZZI.exeC:\windows\MAZZI.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ICIPW.exe.bat" "62⤵PID:3124
-
C:\windows\ICIPW.exeC:\windows\ICIPW.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFLTBAZ.exe.bat" "64⤵PID:1012
-
C:\windows\SysWOW64\AFLTBAZ.exeC:\windows\system32\AFLTBAZ.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BIP.exe.bat" "66⤵PID:2780
-
C:\windows\system\BIP.exeC:\windows\system\BIP.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZJXCQL.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\windows\ZJXCQL.exeC:\windows\ZJXCQL.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HOXRZY.exe.bat" "70⤵PID:2112
-
C:\windows\HOXRZY.exeC:\windows\HOXRZY.exe71⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LEEZ.exe.bat" "72⤵PID:2428
-
C:\windows\SysWOW64\LEEZ.exeC:\windows\system32\LEEZ.exe73⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AZNDXDB.exe.bat" "74⤵PID:1148
-
C:\windows\SysWOW64\AZNDXDB.exeC:\windows\system32\AZNDXDB.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JAPIA.exe.bat" "76⤵PID:2928
-
C:\windows\JAPIA.exeC:\windows\JAPIA.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ENUSKIS.exe.bat" "78⤵PID:4840
-
C:\windows\system\ENUSKIS.exeC:\windows\system\ENUSKIS.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CLBDOT.exe.bat" "80⤵PID:2144
-
C:\windows\system\CLBDOT.exeC:\windows\system\CLBDOT.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQTRYGC.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\windows\system\CQTRYGC.exeC:\windows\system\CQTRYGC.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TED.exe.bat" "84⤵PID:324
-
C:\windows\system\TED.exeC:\windows\system\TED.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJDYPQ.exe.bat" "86⤵PID:4088
-
C:\windows\SysWOW64\TJDYPQ.exeC:\windows\system32\TJDYPQ.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OXIHRQI.exe.bat" "88⤵PID:1340
-
C:\windows\OXIHRQI.exeC:\windows\OXIHRQI.exe89⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SNPHD.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\windows\SNPHD.exeC:\windows\SNPHD.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNRMHG.exe.bat" "92⤵PID:2400
-
C:\windows\SysWOW64\JNRMHG.exeC:\windows\system32\JNRMHG.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAW.exe.bat" "94⤵PID:4632
-
C:\windows\SysWOW64\EAW.exeC:\windows\system32\EAW.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TDFIKS.exe.bat" "96⤵PID:2900
-
C:\windows\TDFIKS.exeC:\windows\TDFIKS.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CEHNOYX.exe.bat" "98⤵PID:4832
-
C:\windows\CEHNOYX.exeC:\windows\CEHNOYX.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWC.exe.bat" "100⤵PID:3956
-
C:\windows\system\OWC.exeC:\windows\system\OWC.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IJHPY.exe.bat" "102⤵PID:4892
-
C:\windows\SysWOW64\IJHPY.exeC:\windows\system32\IJHPY.exe103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VULO.exe.bat" "104⤵PID:4440
-
C:\windows\VULO.exeC:\windows\VULO.exe105⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LPUAWJF.exe.bat" "106⤵PID:4736
-
C:\windows\SysWOW64\LPUAWJF.exeC:\windows\system32\LPUAWJF.exe107⤵
- Checks computer location settings
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LVVOY.exe.bat" "108⤵PID:4716
-
C:\windows\system\LVVOY.exeC:\windows\system\LVVOY.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QVCCH.exe.bat" "110⤵PID:2820
-
C:\windows\QVCCH.exeC:\windows\QVCCH.exe111⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ULWKK.exe.bat" "112⤵PID:3812
-
C:\windows\ULWKK.exeC:\windows\ULWKK.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IOF.exe.bat" "114⤵PID:5064
-
C:\windows\system\IOF.exeC:\windows\system\IOF.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMGD.exe.bat" "116⤵PID:4800
-
C:\windows\SysWOW64\KMGD.exeC:\windows\system32\KMGD.exe117⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VJJJR.exe.bat" "118⤵PID:3540
-
C:\windows\VJJJR.exeC:\windows\VJJJR.exe119⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XHL.exe.bat" "120⤵PID:2908
-
C:\windows\SysWOW64\XHL.exeC:\windows\system32\XHL.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-