Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 16:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe
-
Size
208KB
-
MD5
21b4bf048ac9b39677f13878111d68f0
-
SHA1
758e8a6e7f19893cee981bb72f2c3a468ea38f62
-
SHA256
0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9
-
SHA512
b1fe0068cc93f706080ae0965ce99be09d21794b570d7b582206b1d35057b0c4e2da8aa0a90693742e9d9ffb0370dbf4a89b533e046b26a94e4bd86dfa158da9
-
SSDEEP
3072:I/nYNCWK6RVF3vF3JquyUEE4zDCSdQ17q4Dvi04NLthEjQT6+:I/nY3Ks/dkBlDL34DFQEjM
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DZO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SSI.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TVMEDT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TAMSMGY.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation QACTN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RMGG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation EUNH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ZQWJKG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LZETU.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SFCOHGR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BGOKEA.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MXNZO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JYRT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ZZPCT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation AFIR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SVPQV.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NIMZFAS.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation XRIVBN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DWT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LKNUE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation VTNBOQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FESCFL.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation IFNZD.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation OWC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LGFS.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation UEGQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MAUQOI.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TJFMZSZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LJCSSKA.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation EUUDM.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DEMKS.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation UHZYF.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TAIZL.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation XTB.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SMRGAX.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FOKCAU.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation VKG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation XEZXSIF.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FWZFY.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NDSMH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ZWVFHG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation EPKTO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation OBVUPR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation IBSIEPH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CYK.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BNGQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation UKFAH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CVFG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LEX.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MAGGVG.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JBQYEFJ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NHKLWHO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LSV.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FEXAN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WTBBL.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CIA.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SZYC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HRNN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FSLSTKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DTJ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation EMYNJPH.exe -
Executes dropped EXE 64 IoCs
pid Process 4976 IBSIEPH.exe 4416 SZYC.exe 4740 UCHJE.exe 3660 UHZYF.exe 3896 TAIZL.exe 2700 FSLSTKQ.exe 2128 HGQ.exe 2416 PWRTKFU.exe 2856 KGZSZ.exe 4960 MENM.exe 3856 UKFAH.exe 1056 DXQ.exe 4480 OQTLGIW.exe 3956 SYZLKA.exe 5048 CVFG.exe 4572 NOIYZ.exe 980 BUIK.exe 3864 LSV.exe 2196 PACED.exe 4092 YAEJGZR.exe 3568 TVJ.exe 5108 KBTLHW.exe 4876 LEX.exe 3640 UMZU.exe 452 JHIYIEG.exe 4976 EUNH.exe 3928 EAGWU.exe 3004 YVKFWRM.exe 2796 ZQWJKG.exe 3092 STAFPWX.exe 4160 CRGZXFG.exe 2028 HRNN.exe 4420 NSVB.exe 2348 ZKYTFR.exe 3912 CSE.exe 1696 MAGGVG.exe 544 XTB.exe 2712 DTJ.exe 4056 ZZPCT.exe 4892 SUG.exe 5000 PAMD.exe 2948 MAUQOI.exe 3988 NDY.exe 1508 RLEUFI.exe 4500 EWIBKIL.exe 760 OWC.exe 680 SMRGAX.exe 1376 SHVJ.exe 2800 NCZTQN.exe 4992 AFIR.exe 4380 VTNBOQ.exe 4372 BOMC.exe 3528 FESCFL.exe 4916 UZCO.exe 956 LZETU.exe 212 SUBF.exe 4504 ENEYEM.exe 4304 TQN.exe 808 NDSMH.exe 3648 ZWVFHG.exe 64 ZBNTJTU.exe 4540 LRCTV.exe 1552 YUKSJOM.exe 1368 EPKTO.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\UKFAH.exe MENM.exe File created C:\windows\SysWOW64\OIHPMPP.exe KAAHH.exe File created C:\windows\SysWOW64\SFCOHGR.exe.bat DZWZSWP.exe File opened for modification C:\windows\SysWOW64\VZNUYBZ.exe AMILOB.exe File created C:\windows\SysWOW64\PWRTKFU.exe.bat HGQ.exe File created C:\windows\SysWOW64\EUNH.exe JHIYIEG.exe File created C:\windows\SysWOW64\SUBF.exe LZETU.exe File created C:\windows\SysWOW64\UIUDP.exe.bat ENKYEWA.exe File created C:\windows\SysWOW64\WTBBL.exe MLZWIRJ.exe File created C:\windows\SysWOW64\MLCEKLU.exe OWRB.exe File opened for modification C:\windows\SysWOW64\PWRTKFU.exe HGQ.exe File created C:\windows\SysWOW64\VKG.exe.bat IACUIXB.exe File created C:\windows\SysWOW64\UIUDP.exe ENKYEWA.exe File created C:\windows\SysWOW64\YUKSJOM.exe.bat LRCTV.exe File created C:\windows\SysWOW64\OVGT.exe MXNZO.exe File created C:\windows\SysWOW64\VKG.exe IACUIXB.exe File opened for modification C:\windows\SysWOW64\NTNG.exe MYJDMPP.exe File created C:\windows\SysWOW64\YAEJGZR.exe PACED.exe File created C:\windows\SysWOW64\YAEJGZR.exe.bat PACED.exe File created C:\windows\SysWOW64\YUKSJOM.exe LRCTV.exe File created C:\windows\SysWOW64\NTNG.exe.bat MYJDMPP.exe File opened for modification C:\windows\SysWOW64\WTBBL.exe MLZWIRJ.exe File created C:\windows\SysWOW64\FSLSTKQ.exe.bat TAIZL.exe File created C:\windows\SysWOW64\CRGZXFG.exe STAFPWX.exe File created C:\windows\SysWOW64\CRGZXFG.exe.bat STAFPWX.exe File created C:\windows\SysWOW64\UMZU.exe LEX.exe File created C:\windows\SysWOW64\RLEUFI.exe.bat NDY.exe File opened for modification C:\windows\SysWOW64\PXYQD.exe OBVUPR.exe File created C:\windows\SysWOW64\DXZWN.exe BZLBXIK.exe File created C:\windows\SysWOW64\UKFAH.exe MENM.exe File opened for modification C:\windows\SysWOW64\BUIK.exe NOIYZ.exe File created C:\windows\SysWOW64\PACED.exe LSV.exe File created C:\windows\SysWOW64\QYJDBZG.exe MQCDP.exe File created C:\windows\SysWOW64\SFCOHGR.exe DZWZSWP.exe File created C:\windows\SysWOW64\SMRGAX.exe.bat OWC.exe File created C:\windows\SysWOW64\SHVJ.exe.bat SMRGAX.exe File opened for modification C:\windows\SysWOW64\ZMN.exe XRIVBN.exe File created C:\windows\SysWOW64\ZMN.exe XRIVBN.exe File created C:\windows\SysWOW64\QYJDBZG.exe.bat MQCDP.exe File created C:\windows\SysWOW64\KVGTJV.exe.bat IFNZD.exe File created C:\windows\SysWOW64\TAIZL.exe.bat UHZYF.exe File created C:\windows\SysWOW64\UKFAH.exe.bat MENM.exe File created C:\windows\SysWOW64\NDSMH.exe TQN.exe File opened for modification C:\windows\SysWOW64\QYJDBZG.exe MQCDP.exe File created C:\windows\SysWOW64\PXYQD.exe OBVUPR.exe File opened for modification C:\windows\SysWOW64\OIHPMPP.exe KAAHH.exe File opened for modification C:\windows\SysWOW64\MENM.exe KGZSZ.exe File created C:\windows\SysWOW64\SMRGAX.exe OWC.exe File created C:\windows\SysWOW64\LZETU.exe UZCO.exe File created C:\windows\SysWOW64\ZMN.exe.bat XRIVBN.exe File created C:\windows\SysWOW64\PWRTKFU.exe HGQ.exe File opened for modification C:\windows\SysWOW64\PACED.exe LSV.exe File opened for modification C:\windows\SysWOW64\SUBF.exe LZETU.exe File created C:\windows\SysWOW64\KVGTJV.exe IFNZD.exe File created C:\windows\SysWOW64\FEXAN.exe TMUP.exe File created C:\windows\SysWOW64\FEXAN.exe.bat TMUP.exe File opened for modification C:\windows\SysWOW64\HCYCL.exe FEXAN.exe File opened for modification C:\windows\SysWOW64\SFCOHGR.exe DZWZSWP.exe File opened for modification C:\windows\SysWOW64\FSLSTKQ.exe TAIZL.exe File created C:\windows\SysWOW64\NOIYZ.exe CVFG.exe File opened for modification C:\windows\SysWOW64\UZCO.exe FESCFL.exe File opened for modification C:\windows\SysWOW64\UIUDP.exe ENKYEWA.exe File opened for modification C:\windows\SysWOW64\OVGT.exe MXNZO.exe File opened for modification C:\windows\SysWOW64\DXZWN.exe BZLBXIK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\ENEYEM.exe.bat SUBF.exe File opened for modification C:\windows\CYK.exe KVGTJV.exe File opened for modification C:\windows\MLYGCYK.exe UIUDP.exe File created C:\windows\EUUDM.exe NHKLWHO.exe File created C:\windows\CSE.exe ZKYTFR.exe File created C:\windows\BBPWMH.exe.bat LGFS.exe File created C:\windows\LRCTV.exe.bat ZBNTJTU.exe File opened for modification C:\windows\system\VTNBOQ.exe AFIR.exe File created C:\windows\system\GXCBI.exe AXU.exe File created C:\windows\HZHO.exe MLCEKLU.exe File created C:\windows\system\ICLKZA.exe HZHO.exe File created C:\windows\system\HRNN.exe.bat CRGZXFG.exe File created C:\windows\system\TMUP.exe CYK.exe File opened for modification C:\windows\system\FQY.exe SFCOHGR.exe File created C:\windows\system\GKU.exe AKMTM.exe File created C:\windows\EUUDM.exe.bat NHKLWHO.exe File opened for modification C:\windows\LRCTV.exe ZBNTJTU.exe File created C:\windows\system\DXQ.exe.bat UKFAH.exe File created C:\windows\system\LEX.exe KBTLHW.exe File created C:\windows\NSVB.exe.bat HRNN.exe File created C:\windows\system\RJCGEX.exe NTNG.exe File opened for modification C:\windows\system\HGQ.exe FSLSTKQ.exe File opened for modification C:\windows\system\STAFPWX.exe ZQWJKG.exe File opened for modification C:\windows\system\AKMTM.exe LULU.exe File created C:\windows\UHZYF.exe UCHJE.exe File opened for modification C:\windows\IFNZD.exe SCDNSMK.exe File created C:\windows\system\QUDY.exe.bat OXJV.exe File created C:\windows\system\ENKYEWA.exe YSLQ.exe File created C:\windows\system\JYRT.exe WNBCSR.exe File created C:\windows\system\DZO.exe.bat SGTGKZU.exe File created C:\windows\system\DOVLYNO.exe DEMKS.exe File opened for modification C:\windows\EAGWU.exe EUNH.exe File opened for modification C:\windows\FESCFL.exe BOMC.exe File created C:\windows\NIMZFAS.exe SVPQV.exe File opened for modification C:\windows\system\PAMD.exe SUG.exe File opened for modification C:\windows\system\DWT.exe BBPWMH.exe File created C:\windows\system\OXJV.exe TJFMZSZ.exe File created C:\windows\system\KAAHH.exe GKU.exe File opened for modification C:\windows\system\ICLKZA.exe HZHO.exe File created C:\windows\system\VTNBOQ.exe.bat AFIR.exe File opened for modification C:\windows\system\BGOKEA.exe BNGQQ.exe File opened for modification C:\windows\system\KAAHH.exe GKU.exe File created C:\windows\QACTN.exe KAC.exe File opened for modification C:\windows\ZQBH.exe NIMZFAS.exe File opened for modification C:\windows\SUG.exe ZZPCT.exe File created C:\windows\FESCFL.exe BOMC.exe File created C:\windows\system\LGFS.exe VVP.exe File created C:\windows\CYK.exe.bat KVGTJV.exe File created C:\windows\system\LEX.exe.bat KBTLHW.exe File opened for modification C:\windows\EPKTO.exe YUKSJOM.exe File created C:\windows\IFNZD.exe SCDNSMK.exe File created C:\windows\system\BGOKEA.exe.bat BNGQQ.exe File created C:\windows\system\YSLQ.exe JXCLOG.exe File opened for modification C:\windows\system\KAC.exe NUWQXK.exe File created C:\windows\system\JYRT.exe.bat WNBCSR.exe File created C:\windows\ZKYTFR.exe NSVB.exe File created C:\windows\system\RMGG.exe.bat FWZFY.exe File created C:\windows\system\LKNUE.exe TPJQRR.exe File created C:\windows\system\MLZWIRJ.exe.bat OVGT.exe File created C:\windows\system\HGQ.exe.bat FSLSTKQ.exe File created C:\windows\system\VTNBOQ.exe AFIR.exe File created C:\windows\system\ZDDEX.exe.bat FQY.exe File created C:\windows\system\SGTGKZU.exe.bat JYRT.exe File created C:\windows\system\CIA.exe.bat IVVDOH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1512 1068 WerFault.exe 83 3120 4976 WerFault.exe 90 1248 4416 WerFault.exe 96 1168 4740 WerFault.exe 101 544 3660 WerFault.exe 106 2336 3896 WerFault.exe 111 4648 2700 WerFault.exe 116 4028 2128 WerFault.exe 121 1964 2416 WerFault.exe 126 2764 2856 WerFault.exe 131 2468 4960 WerFault.exe 136 4740 3856 WerFault.exe 141 3568 1056 WerFault.exe 146 932 4480 WerFault.exe 151 3208 3956 WerFault.exe 156 2388 5048 WerFault.exe 161 1420 4572 WerFault.exe 166 1112 980 WerFault.exe 171 1172 3864 WerFault.exe 176 1380 2196 WerFault.exe 181 4972 4092 WerFault.exe 186 4532 3568 WerFault.exe 191 4308 5108 WerFault.exe 196 2216 4876 WerFault.exe 201 3220 3640 WerFault.exe 206 524 452 WerFault.exe 210 1968 4976 WerFault.exe 216 1212 3928 WerFault.exe 221 720 3004 WerFault.exe 226 1880 2796 WerFault.exe 231 4076 3092 WerFault.exe 236 2988 4160 WerFault.exe 241 1068 2028 WerFault.exe 246 708 4420 WerFault.exe 251 4760 2348 WerFault.exe 256 4176 3912 WerFault.exe 261 1488 1696 WerFault.exe 266 3212 544 WerFault.exe 271 4368 2712 WerFault.exe 276 2988 4056 WerFault.exe 281 2388 4892 WerFault.exe 288 2568 5000 WerFault.exe 293 2348 2948 WerFault.exe 298 5056 3988 WerFault.exe 302 2176 1508 WerFault.exe 308 4840 4500 WerFault.exe 313 2876 760 WerFault.exe 318 4876 680 WerFault.exe 323 2596 1376 WerFault.exe 328 4304 2800 WerFault.exe 333 2084 4992 WerFault.exe 338 3648 4380 WerFault.exe 343 4188 4372 WerFault.exe 348 4684 3528 WerFault.exe 353 400 4916 WerFault.exe 358 3568 956 WerFault.exe 363 3208 212 WerFault.exe 369 4420 4504 WerFault.exe 374 1732 4304 WerFault.exe 379 4740 808 WerFault.exe 384 2896 3648 WerFault.exe 389 4492 64 WerFault.exe 394 404 4540 WerFault.exe 399 4764 1552 WerFault.exe 404 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DZO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YVKFWRM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VTNBOQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCDNSMK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZDDEX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZWVFHG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OVGT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LJCSSKA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MQCDP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TJFMZSZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UIUDP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IACUIXB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MYJDMPP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RJCGEX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DXQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZKYTFR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DTJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LULU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KAAHH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OWRB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UCHJE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVPQV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KVGTJV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AMILOB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PWRTKFU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BOMC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMUP.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 4976 IBSIEPH.exe 4976 IBSIEPH.exe 4416 SZYC.exe 4416 SZYC.exe 4740 UCHJE.exe 4740 UCHJE.exe 3660 UHZYF.exe 3660 UHZYF.exe 3896 TAIZL.exe 3896 TAIZL.exe 2700 FSLSTKQ.exe 2700 FSLSTKQ.exe 2128 HGQ.exe 2128 HGQ.exe 2416 PWRTKFU.exe 2416 PWRTKFU.exe 2856 KGZSZ.exe 2856 KGZSZ.exe 4960 MENM.exe 4960 MENM.exe 3856 UKFAH.exe 3856 UKFAH.exe 1056 DXQ.exe 1056 DXQ.exe 4480 OQTLGIW.exe 4480 OQTLGIW.exe 3956 SYZLKA.exe 3956 SYZLKA.exe 5048 CVFG.exe 5048 CVFG.exe 4572 NOIYZ.exe 4572 NOIYZ.exe 980 BUIK.exe 980 BUIK.exe 3864 LSV.exe 3864 LSV.exe 2196 PACED.exe 2196 PACED.exe 4092 YAEJGZR.exe 4092 YAEJGZR.exe 3568 TVJ.exe 3568 TVJ.exe 5108 KBTLHW.exe 5108 KBTLHW.exe 4876 LEX.exe 4876 LEX.exe 3640 UMZU.exe 3640 UMZU.exe 452 JHIYIEG.exe 452 JHIYIEG.exe 4976 EUNH.exe 4976 EUNH.exe 3928 EAGWU.exe 3928 EAGWU.exe 3004 YVKFWRM.exe 3004 YVKFWRM.exe 2796 ZQWJKG.exe 2796 ZQWJKG.exe 3092 STAFPWX.exe 3092 STAFPWX.exe 4160 CRGZXFG.exe 4160 CRGZXFG.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 4976 IBSIEPH.exe 4976 IBSIEPH.exe 4416 SZYC.exe 4416 SZYC.exe 4740 UCHJE.exe 4740 UCHJE.exe 3660 UHZYF.exe 3660 UHZYF.exe 3896 TAIZL.exe 3896 TAIZL.exe 2700 FSLSTKQ.exe 2700 FSLSTKQ.exe 2128 HGQ.exe 2128 HGQ.exe 2416 PWRTKFU.exe 2416 PWRTKFU.exe 2856 KGZSZ.exe 2856 KGZSZ.exe 4960 MENM.exe 4960 MENM.exe 3856 UKFAH.exe 3856 UKFAH.exe 1056 DXQ.exe 1056 DXQ.exe 4480 OQTLGIW.exe 4480 OQTLGIW.exe 3956 SYZLKA.exe 3956 SYZLKA.exe 5048 CVFG.exe 5048 CVFG.exe 4572 NOIYZ.exe 4572 NOIYZ.exe 980 BUIK.exe 980 BUIK.exe 3864 LSV.exe 3864 LSV.exe 2196 PACED.exe 2196 PACED.exe 4092 YAEJGZR.exe 4092 YAEJGZR.exe 3568 TVJ.exe 3568 TVJ.exe 5108 KBTLHW.exe 5108 KBTLHW.exe 4876 LEX.exe 4876 LEX.exe 3640 UMZU.exe 3640 UMZU.exe 452 JHIYIEG.exe 452 JHIYIEG.exe 4976 EUNH.exe 4976 EUNH.exe 3928 EAGWU.exe 3928 EAGWU.exe 3004 YVKFWRM.exe 3004 YVKFWRM.exe 2796 ZQWJKG.exe 2796 ZQWJKG.exe 3092 STAFPWX.exe 3092 STAFPWX.exe 4160 CRGZXFG.exe 4160 CRGZXFG.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1932 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 86 PID 1068 wrote to memory of 1932 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 86 PID 1068 wrote to memory of 1932 1068 0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe 86 PID 1932 wrote to memory of 4976 1932 cmd.exe 90 PID 1932 wrote to memory of 4976 1932 cmd.exe 90 PID 1932 wrote to memory of 4976 1932 cmd.exe 90 PID 4976 wrote to memory of 668 4976 IBSIEPH.exe 92 PID 4976 wrote to memory of 668 4976 IBSIEPH.exe 92 PID 4976 wrote to memory of 668 4976 IBSIEPH.exe 92 PID 668 wrote to memory of 4416 668 cmd.exe 96 PID 668 wrote to memory of 4416 668 cmd.exe 96 PID 668 wrote to memory of 4416 668 cmd.exe 96 PID 4416 wrote to memory of 3864 4416 SZYC.exe 97 PID 4416 wrote to memory of 3864 4416 SZYC.exe 97 PID 4416 wrote to memory of 3864 4416 SZYC.exe 97 PID 3864 wrote to memory of 4740 3864 cmd.exe 101 PID 3864 wrote to memory of 4740 3864 cmd.exe 101 PID 3864 wrote to memory of 4740 3864 cmd.exe 101 PID 4740 wrote to memory of 5032 4740 UCHJE.exe 102 PID 4740 wrote to memory of 5032 4740 UCHJE.exe 102 PID 4740 wrote to memory of 5032 4740 UCHJE.exe 102 PID 5032 wrote to memory of 3660 5032 cmd.exe 106 PID 5032 wrote to memory of 3660 5032 cmd.exe 106 PID 5032 wrote to memory of 3660 5032 cmd.exe 106 PID 3660 wrote to memory of 944 3660 UHZYF.exe 107 PID 3660 wrote to memory of 944 3660 UHZYF.exe 107 PID 3660 wrote to memory of 944 3660 UHZYF.exe 107 PID 944 wrote to memory of 3896 944 cmd.exe 111 PID 944 wrote to memory of 3896 944 cmd.exe 111 PID 944 wrote to memory of 3896 944 cmd.exe 111 PID 3896 wrote to memory of 4532 3896 TAIZL.exe 112 PID 3896 wrote to memory of 4532 3896 TAIZL.exe 112 PID 3896 wrote to memory of 4532 3896 TAIZL.exe 112 PID 4532 wrote to memory of 2700 4532 cmd.exe 116 PID 4532 wrote to memory of 2700 4532 cmd.exe 116 PID 4532 wrote to memory of 2700 4532 cmd.exe 116 PID 2700 wrote to memory of 1408 2700 FSLSTKQ.exe 117 PID 2700 wrote to memory of 1408 2700 FSLSTKQ.exe 117 PID 2700 wrote to memory of 1408 2700 FSLSTKQ.exe 117 PID 1408 wrote to memory of 2128 1408 cmd.exe 121 PID 1408 wrote to memory of 2128 1408 cmd.exe 121 PID 1408 wrote to memory of 2128 1408 cmd.exe 121 PID 2128 wrote to memory of 4812 2128 HGQ.exe 122 PID 2128 wrote to memory of 4812 2128 HGQ.exe 122 PID 2128 wrote to memory of 4812 2128 HGQ.exe 122 PID 4812 wrote to memory of 2416 4812 cmd.exe 126 PID 4812 wrote to memory of 2416 4812 cmd.exe 126 PID 4812 wrote to memory of 2416 4812 cmd.exe 126 PID 2416 wrote to memory of 2596 2416 PWRTKFU.exe 127 PID 2416 wrote to memory of 2596 2416 PWRTKFU.exe 127 PID 2416 wrote to memory of 2596 2416 PWRTKFU.exe 127 PID 2596 wrote to memory of 2856 2596 cmd.exe 131 PID 2596 wrote to memory of 2856 2596 cmd.exe 131 PID 2596 wrote to memory of 2856 2596 cmd.exe 131 PID 2856 wrote to memory of 836 2856 KGZSZ.exe 132 PID 2856 wrote to memory of 836 2856 KGZSZ.exe 132 PID 2856 wrote to memory of 836 2856 KGZSZ.exe 132 PID 836 wrote to memory of 4960 836 cmd.exe 136 PID 836 wrote to memory of 4960 836 cmd.exe 136 PID 836 wrote to memory of 4960 836 cmd.exe 136 PID 4960 wrote to memory of 1968 4960 MENM.exe 137 PID 4960 wrote to memory of 1968 4960 MENM.exe 137 PID 4960 wrote to memory of 1968 4960 MENM.exe 137 PID 1968 wrote to memory of 3856 1968 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe"C:\Users\Admin\AppData\Local\Temp\0c0c2700e9b8da45e90cb8a8ff4010fd6b8edacf484c15aeca5fc57f39876ff9N.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IBSIEPH.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\windows\system\IBSIEPH.exeC:\windows\system\IBSIEPH.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SZYC.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\windows\system\SZYC.exeC:\windows\system\SZYC.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UCHJE.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\windows\UCHJE.exeC:\windows\UCHJE.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UHZYF.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\windows\UHZYF.exeC:\windows\UHZYF.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TAIZL.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\windows\SysWOW64\TAIZL.exeC:\windows\system32\TAIZL.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FSLSTKQ.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\windows\SysWOW64\FSLSTKQ.exeC:\windows\system32\FSLSTKQ.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HGQ.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\windows\system\HGQ.exeC:\windows\system\HGQ.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PWRTKFU.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\windows\SysWOW64\PWRTKFU.exeC:\windows\system32\PWRTKFU.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KGZSZ.exe.bat" "18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\windows\KGZSZ.exeC:\windows\KGZSZ.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MENM.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\windows\SysWOW64\MENM.exeC:\windows\system32\MENM.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DXQ.exe.bat" "24⤵PID:3876
-
C:\windows\system\DXQ.exeC:\windows\system\DXQ.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OQTLGIW.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\windows\SysWOW64\OQTLGIW.exeC:\windows\system32\OQTLGIW.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SYZLKA.exe.bat" "28⤵PID:1880
-
C:\windows\system\SYZLKA.exeC:\windows\system\SYZLKA.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CVFG.exe.bat" "30⤵PID:3492
-
C:\windows\system\CVFG.exeC:\windows\system\CVFG.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOIYZ.exe.bat" "32⤵PID:228
-
C:\windows\SysWOW64\NOIYZ.exeC:\windows\system32\NOIYZ.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUIK.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\windows\SysWOW64\BUIK.exeC:\windows\system32\BUIK.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LSV.exe.bat" "36⤵PID:4652
-
C:\windows\system\LSV.exeC:\windows\system\LSV.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PACED.exe.bat" "38⤵PID:5056
-
C:\windows\SysWOW64\PACED.exeC:\windows\system32\PACED.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YAEJGZR.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\windows\SysWOW64\YAEJGZR.exeC:\windows\system32\YAEJGZR.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TVJ.exe.bat" "42⤵PID:944
-
C:\windows\system\TVJ.exeC:\windows\system\TVJ.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KBTLHW.exe.bat" "44⤵PID:2768
-
C:\windows\system\KBTLHW.exeC:\windows\system\KBTLHW.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LEX.exe.bat" "46⤵PID:1640
-
C:\windows\system\LEX.exeC:\windows\system\LEX.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMZU.exe.bat" "48⤵PID:4920
-
C:\windows\SysWOW64\UMZU.exeC:\windows\system32\UMZU.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JHIYIEG.exe.bat" "50⤵PID:3244
-
C:\windows\JHIYIEG.exeC:\windows\JHIYIEG.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUNH.exe.bat" "52⤵PID:768
-
C:\windows\SysWOW64\EUNH.exeC:\windows\system32\EUNH.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EAGWU.exe.bat" "54⤵PID:2856
-
C:\windows\EAGWU.exeC:\windows\EAGWU.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YVKFWRM.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\windows\system\YVKFWRM.exeC:\windows\system\YVKFWRM.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZQWJKG.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\windows\ZQWJKG.exeC:\windows\ZQWJKG.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\STAFPWX.exe.bat" "60⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\windows\system\STAFPWX.exeC:\windows\system\STAFPWX.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CRGZXFG.exe.bat" "62⤵PID:2168
-
C:\windows\SysWOW64\CRGZXFG.exeC:\windows\system32\CRGZXFG.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HRNN.exe.bat" "64⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\windows\system\HRNN.exeC:\windows\system\HRNN.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NSVB.exe.bat" "66⤵PID:4936
-
C:\windows\NSVB.exeC:\windows\NSVB.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKYTFR.exe.bat" "68⤵PID:2480
-
C:\windows\ZKYTFR.exeC:\windows\ZKYTFR.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CSE.exe.bat" "70⤵PID:1512
-
C:\windows\CSE.exeC:\windows\CSE.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MAGGVG.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\windows\system\MAGGVG.exeC:\windows\system\MAGGVG.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XTB.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:736 -
C:\windows\system\XTB.exeC:\windows\system\XTB.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DTJ.exe.bat" "76⤵PID:1380
-
C:\windows\DTJ.exeC:\windows\DTJ.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZZPCT.exe.bat" "78⤵PID:4296
-
C:\windows\system\ZZPCT.exeC:\windows\system\ZZPCT.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SUG.exe.bat" "80⤵PID:5012
-
C:\windows\SUG.exeC:\windows\SUG.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PAMD.exe.bat" "82⤵PID:3208
-
C:\windows\system\PAMD.exeC:\windows\system\PAMD.exe83⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MAUQOI.exe.bat" "84⤵PID:3148
-
C:\windows\system\MAUQOI.exeC:\windows\system\MAUQOI.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NDY.exe.bat" "86⤵PID:2984
-
C:\windows\system\NDY.exeC:\windows\system\NDY.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RLEUFI.exe.bat" "88⤵PID:3864
-
C:\windows\SysWOW64\RLEUFI.exeC:\windows\system32\RLEUFI.exe89⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EWIBKIL.exe.bat" "90⤵PID:64
-
C:\windows\EWIBKIL.exeC:\windows\EWIBKIL.exe91⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWC.exe.bat" "92⤵PID:4448
-
C:\windows\system\OWC.exeC:\windows\system\OWC.exe93⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMRGAX.exe.bat" "94⤵
- System Location Discovery: System Language Discovery
PID:232 -
C:\windows\SysWOW64\SMRGAX.exeC:\windows\system32\SMRGAX.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SHVJ.exe.bat" "96⤵PID:4392
-
C:\windows\SysWOW64\SHVJ.exeC:\windows\system32\SHVJ.exe97⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NCZTQN.exe.bat" "98⤵PID:540
-
C:\windows\system\NCZTQN.exeC:\windows\system\NCZTQN.exe99⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFIR.exe.bat" "100⤵PID:1928
-
C:\windows\SysWOW64\AFIR.exeC:\windows\system32\AFIR.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VTNBOQ.exe.bat" "102⤵PID:2568
-
C:\windows\system\VTNBOQ.exeC:\windows\system\VTNBOQ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BOMC.exe.bat" "104⤵PID:2348
-
C:\windows\system\BOMC.exeC:\windows\system\BOMC.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FESCFL.exe.bat" "106⤵PID:2936
-
C:\windows\FESCFL.exeC:\windows\FESCFL.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZCO.exe.bat" "108⤵PID:2788
-
C:\windows\SysWOW64\UZCO.exeC:\windows\system32\UZCO.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZETU.exe.bat" "110⤵PID:1792
-
C:\windows\SysWOW64\LZETU.exeC:\windows\system32\LZETU.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUBF.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\windows\SysWOW64\SUBF.exeC:\windows\system32\SUBF.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ENEYEM.exe.bat" "114⤵PID:2216
-
C:\windows\ENEYEM.exeC:\windows\ENEYEM.exe115⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TQN.exe.bat" "116⤵PID:4648
-
C:\windows\TQN.exeC:\windows\TQN.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NDSMH.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\windows\SysWOW64\NDSMH.exeC:\windows\system32\NDSMH.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZWVFHG.exe.bat" "120⤵PID:2440
-
C:\windows\ZWVFHG.exeC:\windows\ZWVFHG.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-