Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 18:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe
-
Size
208KB
-
MD5
be19846d55bddda28c0be81c3cdbb835
-
SHA1
e901993a98a3611a90c6c6c903f7e6415b14b87f
-
SHA256
05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67
-
SHA512
1b6a7c1ac14dede1ba20f80ce5fb92514a611df54e169a1c1974465a950691e434a602b0d829503028163eb3900b4822cdcb19b71e80a9e79185e29f10ed0ad7
-
SSDEEP
3072:qVzfDascJ5hrdVn0zrWwskaJDals3Aka4jd7e4NLthEjQT6+:qhfMrDnwRsJglyAka4ByQEjM
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PNPXXMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation EDQWE.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ARVCTC.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation UXDCEQW.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation HWIW.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation IIFBX.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation UDSWCE.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation KMEEIH.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BTJKD.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation KWZCI.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation CLFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation LYJMU.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation GWN.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ZOVE.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YHEVQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation VABXAI.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FVNPZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WQATHQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation QLRGO.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DRU.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation VRWOHWI.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MLYGCYK.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation TUJEADP.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BNC.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation IYIGE.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation IZXW.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation NWZWZC.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FDISVCO.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ZRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BZLBXIK.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FPAJJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation IVMU.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation MKKYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation KZSAYR.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RJPZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation GFQE.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JMWFP.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YHG.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation QAURCRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DDTGKC.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YDLS.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation SZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RNIUPI.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation HVEKYDM.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ZOJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ZUB.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation EWY.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WVZR.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JGKXF.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation LMZDK.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YEWJAW.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation HFQCSM.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ANR.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation FCWKWU.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation QURDWBV.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PLWHLX.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YJNG.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ODJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ELFWCJT.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation EMA.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YQYBVG.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RMKF.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation KEAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation VJY.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 TYWGDP.exe 2396 QYYIP.exe 4172 LJOHV.exe 3468 RMKF.exe 1796 KEAQ.exe 1000 ZUB.exe 848 UIGZ.exe 4564 WFLTQKQ.exe 4552 UDSWCE.exe 4844 GWN.exe 4120 KEUPO.exe 3340 GJZMVNL.exe 1416 EFZVA.exe 3440 BCEK.exe 1000 BFI.exe 848 BYR.exe 4232 WLOZL.exe 1876 LBXQ.exe 4156 AWGUCC.exe 764 KUMP.exe 456 UUOUV.exe 1724 QAURCRJ.exe 968 PLWHLX.exe 4620 CVFG.exe 1080 GZDTZBD.exe 3968 QWRNHK.exe 3636 FCWKWU.exe 916 QURDWBV.exe 220 WVZR.exe 2208 RFPPTGS.exe 3148 ZWQHAB.exe 1728 EWY.exe 4044 FRCYW.exe 4452 FEUMYZ.exe 3280 JNJ.exe 3988 TKO.exe 396 GVXYGC.exe 3408 BICPQCB.exe 2588 DGD.exe 4576 JGKXF.exe 2056 FMIUM.exe 3916 YHMQ.exe 2052 RKLBWXX.exe 1304 AIRNDF.exe 3760 OLZM.exe 4928 YJNG.exe 2756 QMRCNP.exe 5060 AJWXU.exe 2320 IZXW.exe 1524 TSA.exe 4384 ODJ.exe 4892 YDLS.exe 1816 DDTGKC.exe 2324 HTZG.exe 2536 TMCZE.exe 3184 KMEEIH.exe 4548 MKKYPQ.exe 536 HXPIZQA.exe 3892 MYW.exe 1772 COXVPF.exe 3968 RJPZ.exe 4700 EUL.exe 4640 TZQVU.exe 4728 KZSAYR.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\BCEK.exe EFZVA.exe File created C:\windows\SysWOW64\PLWHLX.exe QAURCRJ.exe File opened for modification C:\windows\SysWOW64\ZMN.exe NWZWZC.exe File created C:\windows\SysWOW64\ZRJ.exe KWZCI.exe File opened for modification C:\windows\SysWOW64\IVMU.exe NIPKVFK.exe File created C:\windows\SysWOW64\IVMU.exe.bat NIPKVFK.exe File opened for modification C:\windows\SysWOW64\EFZVA.exe GJZMVNL.exe File created C:\windows\SysWOW64\JNJ.exe.bat FEUMYZ.exe File created C:\windows\SysWOW64\EQCU.exe.bat XGCSJYY.exe File created C:\windows\SysWOW64\JNJ.exe FEUMYZ.exe File opened for modification C:\windows\SysWOW64\UKFAMU.exe ZPAQ.exe File created C:\windows\SysWOW64\XCIUN.exe.bat FHE.exe File opened for modification C:\windows\SysWOW64\THSOSE.exe AOK.exe File created C:\windows\SysWOW64\YNF.exe.bat XKBZMB.exe File created C:\windows\SysWOW64\WBEDWU.exe.bat YNF.exe File created C:\windows\SysWOW64\ZMN.exe NWZWZC.exe File created C:\windows\SysWOW64\NGF.exe FBA.exe File created C:\windows\SysWOW64\LMZDK.exe.bat NMEHCYC.exe File created C:\windows\SysWOW64\VJY.exe IYIGE.exe File created C:\windows\SysWOW64\LJOHV.exe.bat QYYIP.exe File created C:\windows\SysWOW64\KEUPO.exe.bat GWN.exe File created C:\windows\SysWOW64\ZBNJRG.exe ZVNVQ.exe File created C:\windows\SysWOW64\JXGJWKU.exe.bat FPAJJ.exe File created C:\windows\SysWOW64\THSOSE.exe AOK.exe File created C:\windows\SysWOW64\LBXQ.exe WLOZL.exe File opened for modification C:\windows\SysWOW64\CSSUP.exe LEHC.exe File created C:\windows\SysWOW64\BFI.exe BCEK.exe File created C:\windows\SysWOW64\BICPQCB.exe.bat GVXYGC.exe File opened for modification C:\windows\SysWOW64\YNF.exe XKBZMB.exe File created C:\windows\SysWOW64\ZBNJRG.exe.bat ZVNVQ.exe File created C:\windows\SysWOW64\FVNPZ.exe EXH.exe File opened for modification C:\windows\SysWOW64\FVNPZ.exe EXH.exe File created C:\windows\SysWOW64\FVNPZ.exe.bat EXH.exe File created C:\windows\SysWOW64\CSSUP.exe.bat LEHC.exe File created C:\windows\SysWOW64\QYYIP.exe TYWGDP.exe File opened for modification C:\windows\SysWOW64\LBXQ.exe WLOZL.exe File created C:\windows\SysWOW64\VRWOHWI.exe.bat DRU.exe File created C:\windows\SysWOW64\LMZDK.exe NMEHCYC.exe File opened for modification C:\windows\SysWOW64\LMZDK.exe NMEHCYC.exe File opened for modification C:\windows\SysWOW64\JXGJWKU.exe FPAJJ.exe File created C:\windows\SysWOW64\EFZVA.exe GJZMVNL.exe File opened for modification C:\windows\SysWOW64\PLWHLX.exe QAURCRJ.exe File opened for modification C:\windows\SysWOW64\YDLS.exe ODJ.exe File created C:\windows\SysWOW64\KZSAYR.exe.bat TZQVU.exe File created C:\windows\SysWOW64\UKFAMU.exe.bat ZPAQ.exe File created C:\windows\SysWOW64\NZMGO.exe YECC.exe File created C:\windows\SysWOW64\NMEHCYC.exe UEER.exe File created C:\windows\SysWOW64\FPAJJ.exe.bat BZLBXIK.exe File opened for modification C:\windows\SysWOW64\AJWXU.exe QMRCNP.exe File created C:\windows\SysWOW64\UKFAMU.exe ZPAQ.exe File created C:\windows\SysWOW64\IIFBX.exe ICENV.exe File opened for modification C:\windows\SysWOW64\DREP.exe DDEBWQ.exe File created C:\windows\SysWOW64\RSU.exe WMILKT.exe File created C:\windows\SysWOW64\YQYBVG.exe JVO.exe File created C:\windows\SysWOW64\HVEKYDM.exe DNYC.exe File created C:\windows\SysWOW64\HVEKYDM.exe.bat DNYC.exe File created C:\windows\SysWOW64\VJY.exe.bat IYIGE.exe File opened for modification C:\windows\SysWOW64\VTC.exe UPYBHP.exe File created C:\windows\SysWOW64\QLE.exe WQATHQ.exe File opened for modification C:\windows\SysWOW64\BFI.exe BCEK.exe File created C:\windows\SysWOW64\IIFBX.exe.bat ICENV.exe File created C:\windows\SysWOW64\VTC.exe UPYBHP.exe File created C:\windows\SysWOW64\AOK.exe LYJMU.exe File opened for modification C:\windows\SysWOW64\KUMP.exe AWGUCC.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\JLN.exe ZNHJC.exe File created C:\windows\system\TPSQECP.exe PMUV.exe File created C:\windows\TYWGDP.exe.bat 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe File opened for modification C:\windows\EWY.exe ZWQHAB.exe File created C:\windows\PMUPTZ.exe.bat ARL.exe File created C:\windows\CZW.exe SZUAKM.exe File opened for modification C:\windows\EHC.exe ARVCTC.exe File created C:\windows\system\JMHJOSY.exe.bat ZMN.exe File created C:\windows\XGCSJYY.exe EDQWE.exe File created C:\windows\system\YHEVQ.exe EMA.exe File created C:\windows\system\WLOZL.exe.bat BYR.exe File created C:\windows\system\AWGUCC.exe.bat LBXQ.exe File created C:\windows\YHMQ.exe.bat FMIUM.exe File created C:\windows\system\IZXW.exe AJWXU.exe File created C:\windows\system\AGQRJFK.exe FDISVCO.exe File created C:\windows\system\BNC.exe DUHTT.exe File created C:\windows\system\ZOJ.exe.bat BTJKD.exe File opened for modification C:\windows\OHKFAM.exe ZRJ.exe File opened for modification C:\windows\system\ZWQHAB.exe RFPPTGS.exe File opened for modification C:\windows\system\YECC.exe CZW.exe File created C:\windows\system\YECC.exe.bat CZW.exe File created C:\windows\system\DDEBWQ.exe.bat RVXT.exe File created C:\windows\system\KWZCI.exe.bat YEWJAW.exe File created C:\windows\system\RMKF.exe.bat LJOHV.exe File created C:\windows\JGKXF.exe DGD.exe File opened for modification C:\windows\PMUPTZ.exe ARL.exe File created C:\windows\MYW.exe HXPIZQA.exe File created C:\windows\COXVPF.exe MYW.exe File created C:\windows\system\GPT.exe.bat HWIW.exe File opened for modification C:\windows\system\DNYC.exe TPSQECP.exe File created C:\windows\system\DLDH.exe IYYPK.exe File created C:\windows\system\SYTPS.exe GFQE.exe File opened for modification C:\windows\TLD.exe YQYBVG.exe File opened for modification C:\windows\system\QAURCRJ.exe UUOUV.exe File created C:\windows\system\QWRNHK.exe.bat GZDTZBD.exe File created C:\windows\ARL.exe WBEDWU.exe File created C:\windows\OMRWU.exe.bat DUO.exe File opened for modification C:\windows\YWG.exe GOAMGW.exe File opened for modification C:\windows\HFQCSM.exe WMNJSFU.exe File created C:\windows\system\AWGUCC.exe LBXQ.exe File created C:\windows\system\ZWQHAB.exe RFPPTGS.exe File opened for modification C:\windows\ARL.exe WBEDWU.exe File created C:\windows\EWXRV.exe AGQRJFK.exe File opened for modification C:\windows\JLN.exe ZNHJC.exe File created C:\windows\system\LYJMU.exe QLE.exe File opened for modification C:\windows\system\QWRNHK.exe GZDTZBD.exe File opened for modification C:\windows\system\USMNI.exe VABXAI.exe File created C:\windows\OHKFAM.exe.bat ZRJ.exe File opened for modification C:\windows\BZLBXIK.exe MJKK.exe File created C:\windows\HFQCSM.exe.bat WMNJSFU.exe File created C:\windows\system\MXNZO.exe.bat PAH.exe File created C:\windows\QGWHDB.exe.bat JLN.exe File opened for modification C:\windows\IYYPK.exe IVMU.exe File opened for modification C:\windows\FCWKWU.exe QWRNHK.exe File created C:\windows\HTZG.exe DDTGKC.exe File created C:\windows\system\RNIUPI.exe ECSVBX.exe File opened for modification C:\windows\CZW.exe SZUAKM.exe File opened for modification C:\windows\MDL.exe ZSPZWV.exe File opened for modification C:\windows\system\ANR.exe CSSUP.exe File created C:\windows\ZVNVQ.exe.bat ELFWCJT.exe File created C:\windows\system\ICENV.exe.bat VRWOHWI.exe File created C:\windows\system\EMA.exe MLYGCYK.exe File created C:\windows\system\CVFG.exe PLWHLX.exe File opened for modification C:\windows\system\FEUMYZ.exe FRCYW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2912 4880 WerFault.exe 82 1736 2192 WerFault.exe 90 4744 2396 WerFault.exe 96 2596 4172 WerFault.exe 101 2156 3468 WerFault.exe 106 3936 1796 WerFault.exe 111 2320 1000 WerFault.exe 116 2104 848 WerFault.exe 121 228 4564 WerFault.exe 126 3132 4552 WerFault.exe 131 2536 4844 WerFault.exe 136 4944 4120 WerFault.exe 141 2472 3340 WerFault.exe 146 2448 1416 WerFault.exe 151 2248 3440 WerFault.exe 156 696 1000 WerFault.exe 161 4500 848 WerFault.exe 166 1168 4232 WerFault.exe 171 1564 1876 WerFault.exe 176 3180 4156 WerFault.exe 181 2524 764 WerFault.exe 186 4728 456 WerFault.exe 191 536 1724 WerFault.exe 196 2424 968 WerFault.exe 201 4100 4620 WerFault.exe 206 2052 1080 WerFault.exe 211 4064 3968 WerFault.exe 216 1876 3636 WerFault.exe 221 3408 916 WerFault.exe 226 4144 220 WerFault.exe 231 2472 2208 WerFault.exe 236 536 3148 WerFault.exe 241 2424 1728 WerFault.exe 246 2668 4044 WerFault.exe 251 452 4452 WerFault.exe 256 4076 3280 WerFault.exe 261 3908 3988 WerFault.exe 266 4652 396 WerFault.exe 271 2376 3408 WerFault.exe 276 3960 2588 WerFault.exe 283 1656 4576 WerFault.exe 288 2540 2056 WerFault.exe 293 2912 3916 WerFault.exe 298 1128 2052 WerFault.exe 303 1568 1304 WerFault.exe 308 876 3760 WerFault.exe 313 4708 4928 WerFault.exe 318 2248 2756 WerFault.exe 323 1468 5060 WerFault.exe 328 2828 2320 WerFault.exe 332 4560 1524 WerFault.exe 338 228 4384 WerFault.exe 343 5112 4892 WerFault.exe 348 4280 1816 WerFault.exe 353 5076 2324 WerFault.exe 358 1984 2536 WerFault.exe 363 2036 3184 WerFault.exe 368 4200 4548 WerFault.exe 372 1840 536 WerFault.exe 378 4304 3892 WerFault.exe 383 3516 1772 WerFault.exe 388 5012 3968 WerFault.exe 394 1636 4700 WerFault.exe 399 2032 4640 WerFault.exe 404 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDQWE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GZDTZBD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FEUMYZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IYIGE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HFQCSM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BTJKD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SZUAKM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WQATHQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QAURCRJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZYNPBT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RMKF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SZZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CVFG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NMEHCYC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FCWKWU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZVNVQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZRJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVCRR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EEDIZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GTSIYPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NIPKVFK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QWRNHK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NGF.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 2192 TYWGDP.exe 2192 TYWGDP.exe 2396 QYYIP.exe 2396 QYYIP.exe 4172 LJOHV.exe 4172 LJOHV.exe 3468 RMKF.exe 3468 RMKF.exe 1796 KEAQ.exe 1796 KEAQ.exe 1000 ZUB.exe 1000 ZUB.exe 848 UIGZ.exe 848 UIGZ.exe 4564 WFLTQKQ.exe 4564 WFLTQKQ.exe 4552 UDSWCE.exe 4552 UDSWCE.exe 4844 GWN.exe 4844 GWN.exe 4120 KEUPO.exe 4120 KEUPO.exe 3340 GJZMVNL.exe 3340 GJZMVNL.exe 1416 EFZVA.exe 1416 EFZVA.exe 3440 BCEK.exe 3440 BCEK.exe 1000 BFI.exe 1000 BFI.exe 848 BYR.exe 848 BYR.exe 4232 WLOZL.exe 4232 WLOZL.exe 1876 LBXQ.exe 1876 LBXQ.exe 4156 AWGUCC.exe 4156 AWGUCC.exe 764 KUMP.exe 764 KUMP.exe 456 UUOUV.exe 456 UUOUV.exe 1724 QAURCRJ.exe 1724 QAURCRJ.exe 968 PLWHLX.exe 968 PLWHLX.exe 4620 CVFG.exe 4620 CVFG.exe 1080 GZDTZBD.exe 1080 GZDTZBD.exe 3968 QWRNHK.exe 3968 QWRNHK.exe 3636 FCWKWU.exe 3636 FCWKWU.exe 916 QURDWBV.exe 916 QURDWBV.exe 220 WVZR.exe 220 WVZR.exe 2208 RFPPTGS.exe 2208 RFPPTGS.exe 3148 ZWQHAB.exe 3148 ZWQHAB.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 2192 TYWGDP.exe 2192 TYWGDP.exe 2396 QYYIP.exe 2396 QYYIP.exe 4172 LJOHV.exe 4172 LJOHV.exe 3468 RMKF.exe 3468 RMKF.exe 1796 KEAQ.exe 1796 KEAQ.exe 1000 ZUB.exe 1000 ZUB.exe 848 UIGZ.exe 848 UIGZ.exe 4564 WFLTQKQ.exe 4564 WFLTQKQ.exe 4552 UDSWCE.exe 4552 UDSWCE.exe 4844 GWN.exe 4844 GWN.exe 4120 KEUPO.exe 4120 KEUPO.exe 3340 GJZMVNL.exe 3340 GJZMVNL.exe 1416 EFZVA.exe 1416 EFZVA.exe 3440 BCEK.exe 3440 BCEK.exe 1000 BFI.exe 1000 BFI.exe 848 BYR.exe 848 BYR.exe 4232 WLOZL.exe 4232 WLOZL.exe 1876 LBXQ.exe 1876 LBXQ.exe 4156 AWGUCC.exe 4156 AWGUCC.exe 764 KUMP.exe 764 KUMP.exe 456 UUOUV.exe 456 UUOUV.exe 1724 QAURCRJ.exe 1724 QAURCRJ.exe 968 PLWHLX.exe 968 PLWHLX.exe 4620 CVFG.exe 4620 CVFG.exe 1080 GZDTZBD.exe 1080 GZDTZBD.exe 3968 QWRNHK.exe 3968 QWRNHK.exe 3636 FCWKWU.exe 3636 FCWKWU.exe 916 QURDWBV.exe 916 QURDWBV.exe 220 WVZR.exe 220 WVZR.exe 2208 RFPPTGS.exe 2208 RFPPTGS.exe 3148 ZWQHAB.exe 3148 ZWQHAB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4880 wrote to memory of 5112 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 86 PID 4880 wrote to memory of 5112 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 86 PID 4880 wrote to memory of 5112 4880 05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe 86 PID 5112 wrote to memory of 2192 5112 cmd.exe 90 PID 5112 wrote to memory of 2192 5112 cmd.exe 90 PID 5112 wrote to memory of 2192 5112 cmd.exe 90 PID 2192 wrote to memory of 4892 2192 TYWGDP.exe 92 PID 2192 wrote to memory of 4892 2192 TYWGDP.exe 92 PID 2192 wrote to memory of 4892 2192 TYWGDP.exe 92 PID 4892 wrote to memory of 2396 4892 cmd.exe 96 PID 4892 wrote to memory of 2396 4892 cmd.exe 96 PID 4892 wrote to memory of 2396 4892 cmd.exe 96 PID 2396 wrote to memory of 4916 2396 QYYIP.exe 97 PID 2396 wrote to memory of 4916 2396 QYYIP.exe 97 PID 2396 wrote to memory of 4916 2396 QYYIP.exe 97 PID 4916 wrote to memory of 4172 4916 cmd.exe 101 PID 4916 wrote to memory of 4172 4916 cmd.exe 101 PID 4916 wrote to memory of 4172 4916 cmd.exe 101 PID 4172 wrote to memory of 2136 4172 LJOHV.exe 102 PID 4172 wrote to memory of 2136 4172 LJOHV.exe 102 PID 4172 wrote to memory of 2136 4172 LJOHV.exe 102 PID 2136 wrote to memory of 3468 2136 cmd.exe 106 PID 2136 wrote to memory of 3468 2136 cmd.exe 106 PID 2136 wrote to memory of 3468 2136 cmd.exe 106 PID 3468 wrote to memory of 3248 3468 RMKF.exe 107 PID 3468 wrote to memory of 3248 3468 RMKF.exe 107 PID 3468 wrote to memory of 3248 3468 RMKF.exe 107 PID 3248 wrote to memory of 1796 3248 cmd.exe 111 PID 3248 wrote to memory of 1796 3248 cmd.exe 111 PID 3248 wrote to memory of 1796 3248 cmd.exe 111 PID 1796 wrote to memory of 1732 1796 KEAQ.exe 112 PID 1796 wrote to memory of 1732 1796 KEAQ.exe 112 PID 1796 wrote to memory of 1732 1796 KEAQ.exe 112 PID 1732 wrote to memory of 1000 1732 cmd.exe 116 PID 1732 wrote to memory of 1000 1732 cmd.exe 116 PID 1732 wrote to memory of 1000 1732 cmd.exe 116 PID 1000 wrote to memory of 3992 1000 ZUB.exe 117 PID 1000 wrote to memory of 3992 1000 ZUB.exe 117 PID 1000 wrote to memory of 3992 1000 ZUB.exe 117 PID 3992 wrote to memory of 848 3992 cmd.exe 121 PID 3992 wrote to memory of 848 3992 cmd.exe 121 PID 3992 wrote to memory of 848 3992 cmd.exe 121 PID 848 wrote to memory of 1556 848 UIGZ.exe 122 PID 848 wrote to memory of 1556 848 UIGZ.exe 122 PID 848 wrote to memory of 1556 848 UIGZ.exe 122 PID 1556 wrote to memory of 4564 1556 cmd.exe 126 PID 1556 wrote to memory of 4564 1556 cmd.exe 126 PID 1556 wrote to memory of 4564 1556 cmd.exe 126 PID 4564 wrote to memory of 3844 4564 WFLTQKQ.exe 127 PID 4564 wrote to memory of 3844 4564 WFLTQKQ.exe 127 PID 4564 wrote to memory of 3844 4564 WFLTQKQ.exe 127 PID 3844 wrote to memory of 4552 3844 cmd.exe 131 PID 3844 wrote to memory of 4552 3844 cmd.exe 131 PID 3844 wrote to memory of 4552 3844 cmd.exe 131 PID 4552 wrote to memory of 3416 4552 UDSWCE.exe 132 PID 4552 wrote to memory of 3416 4552 UDSWCE.exe 132 PID 4552 wrote to memory of 3416 4552 UDSWCE.exe 132 PID 3416 wrote to memory of 4844 3416 cmd.exe 136 PID 3416 wrote to memory of 4844 3416 cmd.exe 136 PID 3416 wrote to memory of 4844 3416 cmd.exe 136 PID 4844 wrote to memory of 2776 4844 GWN.exe 137 PID 4844 wrote to memory of 2776 4844 GWN.exe 137 PID 4844 wrote to memory of 2776 4844 GWN.exe 137 PID 2776 wrote to memory of 4120 2776 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe"C:\Users\Admin\AppData\Local\Temp\05f412e900dcd074380eeaa7bda4c8e95d8e276353867d68ad8d261dbd433f67.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TYWGDP.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\windows\TYWGDP.exeC:\windows\TYWGDP.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QYYIP.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\windows\SysWOW64\QYYIP.exeC:\windows\system32\QYYIP.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOHV.exe.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\windows\SysWOW64\LJOHV.exeC:\windows\system32\LJOHV.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMKF.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\windows\system\RMKF.exeC:\windows\system\RMKF.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KEAQ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\windows\system\KEAQ.exeC:\windows\system\KEAQ.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZUB.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\windows\ZUB.exeC:\windows\ZUB.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UIGZ.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\windows\UIGZ.exeC:\windows\UIGZ.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WFLTQKQ.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\windows\WFLTQKQ.exeC:\windows\WFLTQKQ.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UDSWCE.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\windows\UDSWCE.exeC:\windows\UDSWCE.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GWN.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\windows\GWN.exeC:\windows\GWN.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KEUPO.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\windows\SysWOW64\KEUPO.exeC:\windows\system32\KEUPO.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GJZMVNL.exe.bat" "24⤵PID:2520
-
C:\windows\system\GJZMVNL.exeC:\windows\system\GJZMVNL.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EFZVA.exe.bat" "26⤵PID:2504
-
C:\windows\SysWOW64\EFZVA.exeC:\windows\system32\EFZVA.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCEK.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:4188 -
C:\windows\SysWOW64\BCEK.exeC:\windows\system32\BCEK.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFI.exe.bat" "30⤵PID:2164
-
C:\windows\SysWOW64\BFI.exeC:\windows\system32\BFI.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BYR.exe.bat" "32⤵PID:2076
-
C:\windows\BYR.exeC:\windows\BYR.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WLOZL.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\windows\system\WLOZL.exeC:\windows\system\WLOZL.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBXQ.exe.bat" "36⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\windows\SysWOW64\LBXQ.exeC:\windows\system32\LBXQ.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AWGUCC.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\windows\system\AWGUCC.exeC:\windows\system\AWGUCC.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUMP.exe.bat" "40⤵PID:2192
-
C:\windows\SysWOW64\KUMP.exeC:\windows\system32\KUMP.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UUOUV.exe.bat" "42⤵PID:1932
-
C:\windows\UUOUV.exeC:\windows\UUOUV.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QAURCRJ.exe.bat" "44⤵PID:3248
-
C:\windows\system\QAURCRJ.exeC:\windows\system\QAURCRJ.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PLWHLX.exe.bat" "46⤵PID:2844
-
C:\windows\SysWOW64\PLWHLX.exeC:\windows\system32\PLWHLX.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CVFG.exe.bat" "48⤵PID:1312
-
C:\windows\system\CVFG.exeC:\windows\system\CVFG.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GZDTZBD.exe.bat" "50⤵PID:696
-
C:\windows\GZDTZBD.exeC:\windows\GZDTZBD.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QWRNHK.exe.bat" "52⤵PID:4112
-
C:\windows\system\QWRNHK.exeC:\windows\system\QWRNHK.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FCWKWU.exe.bat" "54⤵PID:400
-
C:\windows\FCWKWU.exeC:\windows\FCWKWU.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QURDWBV.exe.bat" "56⤵PID:4480
-
C:\windows\system\QURDWBV.exeC:\windows\system\QURDWBV.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WVZR.exe.bat" "58⤵PID:2520
-
C:\windows\system\WVZR.exeC:\windows\system\WVZR.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RFPPTGS.exe.bat" "60⤵PID:2088
-
C:\windows\system\RFPPTGS.exeC:\windows\system\RFPPTGS.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZWQHAB.exe.bat" "62⤵PID:2032
-
C:\windows\system\ZWQHAB.exeC:\windows\system\ZWQHAB.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EWY.exe.bat" "64⤵PID:1464
-
C:\windows\EWY.exeC:\windows\EWY.exe65⤵
- Checks computer location settings
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FRCYW.exe.bat" "66⤵PID:4032
-
C:\windows\FRCYW.exeC:\windows\FRCYW.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\windows\system\FEUMYZ.exeC:\windows\system\FEUMYZ.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JNJ.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\windows\SysWOW64\JNJ.exeC:\windows\system32\JNJ.exe71⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKO.exe.bat" "72⤵PID:4596
-
C:\windows\system\TKO.exeC:\windows\system\TKO.exe73⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GVXYGC.exe.bat" "74⤵PID:1988
-
C:\windows\system\GVXYGC.exeC:\windows\system\GVXYGC.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "76⤵PID:4156
-
C:\windows\SysWOW64\BICPQCB.exeC:\windows\system32\BICPQCB.exe77⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DGD.exe.bat" "78⤵PID:2820
-
C:\windows\DGD.exeC:\windows\DGD.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JGKXF.exe.bat" "80⤵PID:2256
-
C:\windows\JGKXF.exeC:\windows\JGKXF.exe81⤵
- Checks computer location settings
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FMIUM.exe.bat" "82⤵PID:3428
-
C:\windows\FMIUM.exeC:\windows\FMIUM.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YHMQ.exe.bat" "84⤵PID:1016
-
C:\windows\YHMQ.exeC:\windows\YHMQ.exe85⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RKLBWXX.exe.bat" "86⤵PID:2824
-
C:\windows\system\RKLBWXX.exeC:\windows\system\RKLBWXX.exe87⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AIRNDF.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:3416 -
C:\windows\system\AIRNDF.exeC:\windows\system\AIRNDF.exe89⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OLZM.exe.bat" "90⤵PID:4572
-
C:\windows\system\OLZM.exeC:\windows\system\OLZM.exe91⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YJNG.exe.bat" "92⤵PID:2084
-
C:\windows\SysWOW64\YJNG.exeC:\windows\system32\YJNG.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QMRCNP.exe.bat" "94⤵PID:4144
-
C:\windows\QMRCNP.exeC:\windows\QMRCNP.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "96⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\windows\SysWOW64\AJWXU.exeC:\windows\system32\AJWXU.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IZXW.exe.bat" "98⤵PID:1616
-
C:\windows\system\IZXW.exeC:\windows\system\IZXW.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TSA.exe.bat" "100⤵PID:2844
-
C:\windows\SysWOW64\TSA.exeC:\windows\system32\TSA.exe101⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ODJ.exe.bat" "102⤵PID:2340
-
C:\windows\system\ODJ.exeC:\windows\system\ODJ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDLS.exe.bat" "104⤵PID:3208
-
C:\windows\SysWOW64\YDLS.exeC:\windows\system32\YDLS.exe105⤵
- Checks computer location settings
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DDTGKC.exe.bat" "106⤵PID:4468
-
C:\windows\system\DDTGKC.exeC:\windows\system\DDTGKC.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HTZG.exe.bat" "108⤵PID:4916
-
C:\windows\HTZG.exeC:\windows\HTZG.exe109⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TMCZE.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\windows\TMCZE.exeC:\windows\TMCZE.exe111⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KMEEIH.exe.bat" "112⤵PID:4536
-
C:\windows\KMEEIH.exeC:\windows\KMEEIH.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MKKYPQ.exe.bat" "114⤵PID:4260
-
C:\windows\system\MKKYPQ.exeC:\windows\system\MKKYPQ.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HXPIZQA.exe.bat" "116⤵PID:2804
-
C:\windows\system\HXPIZQA.exeC:\windows\system\HXPIZQA.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MYW.exe.bat" "118⤵PID:768
-
C:\windows\MYW.exeC:\windows\MYW.exe119⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\COXVPF.exe.bat" "120⤵PID:2540
-
C:\windows\COXVPF.exeC:\windows\COXVPF.exe121⤵
- Executes dropped EXE
PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-