Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 20:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
-
Size
289KB
-
MD5
5e6849658c66ec6b6e83708ea8282abe
-
SHA1
c9372cb19e1dda2bc97da79d42c61bb13880726e
-
SHA256
31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a
-
SHA512
f6a1034c65069c670898f9e521e4dee3c8985a2f584e8c8d7764ce974bbe526beaaa8f83f049c020ca1dca8256d000347562546cacde629faa781e354b8cc799
-
SSDEEP
6144:9OMJqCoAe4irtAIVGKaW04YG5kECzJLaQVbU5:9OMJqS8rcRW0k5klJLJbU5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation BNZU.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ATRVGCI.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation SAY.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation BRH.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WWVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation FREG.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ANCZSFR.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation IWHQMPW.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation EIDOBI.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation OCBGS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation IOIKVK.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation BPVMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation EKZGLA.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation FHVGTTS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation AFVRD.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation QBR.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WYHVV.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation QGM.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ICKVH.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DZKQYEN.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation SVUODN.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WKXMDS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation VXG.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CECCS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation FNECZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation JSS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation RDP.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation UJKL.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ZRH.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CQPIA.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation QLBI.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation YEFPGSR.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DFHRJW.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DKITMKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation NLW.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CST.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation GTBGWLG.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation OWEJKEX.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation HQBB.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation XABEIT.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation KIHHSO.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation HFYRGI.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation YIFHCK.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ULT.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ZYXYUQB.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CLBDOT.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation RXP.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WUYGHZR.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation QCVRG.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation KFVF.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation VYTQH.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WICR.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WWKAPM.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation RMU.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation GPKHYW.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ITUY.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ZLVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation GABH.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CPKHNNZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CWYOY.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation ZCOUAE.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WRZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation AMKJ.exe -
Executes dropped EXE 64 IoCs
pid Process 3312 GTBGWLG.exe 4888 WUYGHZR.exe 4332 CPKHNNZ.exe 3496 RDP.exe 1208 WYHVV.exe 4264 UJKL.exe 1692 OWEJKEX.exe 1760 AMKJ.exe 4508 THO.exe 4440 EIDOBI.exe 4332 VTUEBD.exe 5032 WWKAPM.exe 1252 YEFPGSR.exe 4164 DFHRJW.exe 4312 SAY.exe 2840 QGM.exe 1680 WGTTV.exe 3584 RMU.exe 1080 ZRH.exe 960 HFYRGI.exe 1280 ZXIZK.exe 3496 YIFHCK.exe 4988 TOR.exe 2752 FRCYW.exe 744 GPKHYW.exe 228 OCBGS.exe 4196 TVLI.exe 3356 HQBB.exe 3552 IOIKVK.exe 376 QCVRG.exe 3940 EXTK.exe 4660 BPVMZ.exe 3864 CLBDOT.exe 388 BRH.exe 2280 ZGHI.exe 688 WWVZ.exe 4764 EKZGLA.exe 2788 KFLHR.exe 2356 LVTQBHD.exe 2976 FREG.exe 2908 NWRM.exe 644 DKITMKJ.exe 3156 FHVGTTS.exe 748 AFVRD.exe 4976 ITUY.exe 2128 NLW.exe 3292 QBR.exe 1892 CECCS.exe 2000 BXR.exe 4640 BNZU.exe 4920 CQPIA.exe 4264 QLBI.exe 3408 CWYOY.exe 3336 WKXMDS.exe 4992 KFVF.exe 4944 FNECZ.exe 3668 FQUQOE.exe 976 ATRVGCI.exe 3240 RXP.exe 4948 ZCOUAE.exe 1648 XABEIT.exe 1420 ULT.exe 2280 YOE.exe 232 UZM.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\CPKHNNZ.exe WUYGHZR.exe File opened for modification C:\windows\SysWOW64\WYHVV.exe RDP.exe File created C:\windows\SysWOW64\WGTTV.exe QGM.exe File opened for modification C:\windows\SysWOW64\HQBB.exe TVLI.exe File opened for modification C:\windows\SysWOW64\JSS.exe VXG.exe File created C:\windows\SysWOW64\ICKVH.exe.bat WRZ.exe File opened for modification C:\windows\SysWOW64\UJKL.exe WYHVV.exe File created C:\windows\SysWOW64\WKXMDS.exe.bat CWYOY.exe File created C:\windows\SysWOW64\CPKHNNZ.exe.bat WUYGHZR.exe File created C:\windows\SysWOW64\WYHVV.exe.bat RDP.exe File created C:\windows\SysWOW64\FREG.exe.bat LVTQBHD.exe File created C:\windows\SysWOW64\ITUY.exe.bat AFVRD.exe File opened for modification C:\windows\SysWOW64\FYRTVL.exe SVUODN.exe File created C:\windows\SysWOW64\WYHVV.exe RDP.exe File created C:\windows\SysWOW64\UJKL.exe WYHVV.exe File created C:\windows\SysWOW64\FREG.exe LVTQBHD.exe File created C:\windows\SysWOW64\NWRM.exe FREG.exe File opened for modification C:\windows\SysWOW64\DKITMKJ.exe NWRM.exe File created C:\windows\SysWOW64\JSS.exe VXG.exe File created C:\windows\SysWOW64\DKITMKJ.exe NWRM.exe File opened for modification C:\windows\SysWOW64\ITUY.exe AFVRD.exe File created C:\windows\SysWOW64\ATRVGCI.exe.bat FQUQOE.exe File opened for modification C:\windows\SysWOW64\ICKVH.exe WRZ.exe File created C:\windows\SysWOW64\ZLVJ.exe CST.exe File created C:\windows\SysWOW64\YMQZA.exe FYRTVL.exe File created C:\windows\SysWOW64\YMQZA.exe.bat FYRTVL.exe File created C:\windows\SysWOW64\YEFPGSR.exe WWKAPM.exe File created C:\windows\SysWOW64\WGTTV.exe.bat QGM.exe File opened for modification C:\windows\SysWOW64\FQUQOE.exe FNECZ.exe File created C:\windows\SysWOW64\ATRVGCI.exe FQUQOE.exe File created C:\windows\SysWOW64\ANCZSFR.exe.bat JSS.exe File created C:\windows\SysWOW64\ICKVH.exe WRZ.exe File opened for modification C:\windows\SysWOW64\YMQZA.exe FYRTVL.exe File opened for modification C:\windows\SysWOW64\WWKAPM.exe VTUEBD.exe File opened for modification C:\windows\SysWOW64\GPKHYW.exe FRCYW.exe File created C:\windows\SysWOW64\DKITMKJ.exe.bat NWRM.exe File created C:\windows\SysWOW64\FQUQOE.exe.bat FNECZ.exe File opened for modification C:\windows\SysWOW64\ATRVGCI.exe FQUQOE.exe File opened for modification C:\windows\SysWOW64\ANCZSFR.exe JSS.exe File created C:\windows\SysWOW64\FYRTVL.exe.bat SVUODN.exe File created C:\windows\SysWOW64\GPKHYW.exe FRCYW.exe File created C:\windows\SysWOW64\HQBB.exe TVLI.exe File opened for modification C:\windows\SysWOW64\CWYOY.exe QLBI.exe File created C:\windows\SysWOW64\ANCZSFR.exe JSS.exe File opened for modification C:\windows\SysWOW64\WKXMDS.exe CWYOY.exe File opened for modification C:\windows\SysWOW64\YEFPGSR.exe WWKAPM.exe File opened for modification C:\windows\SysWOW64\WGTTV.exe QGM.exe File created C:\windows\SysWOW64\HQBB.exe.bat TVLI.exe File opened for modification C:\windows\SysWOW64\LVTQBHD.exe KFLHR.exe File opened for modification C:\windows\SysWOW64\NWRM.exe FREG.exe File created C:\windows\SysWOW64\ITUY.exe AFVRD.exe File created C:\windows\SysWOW64\CWYOY.exe QLBI.exe File created C:\windows\SysWOW64\FQUQOE.exe FNECZ.exe File opened for modification C:\windows\SysWOW64\ZLVJ.exe CST.exe File created C:\windows\SysWOW64\UJKL.exe.bat WYHVV.exe File created C:\windows\SysWOW64\QGM.exe SAY.exe File opened for modification C:\windows\SysWOW64\QGM.exe SAY.exe File created C:\windows\SysWOW64\FYRTVL.exe SVUODN.exe File created C:\windows\SysWOW64\CPKHNNZ.exe WUYGHZR.exe File created C:\windows\SysWOW64\WKXMDS.exe CWYOY.exe File created C:\windows\SysWOW64\WWKAPM.exe.bat VTUEBD.exe File created C:\windows\SysWOW64\CWYOY.exe.bat QLBI.exe File created C:\windows\SysWOW64\ZLVJ.exe.bat CST.exe File created C:\windows\SysWOW64\WWKAPM.exe VTUEBD.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\FHVGTTS.exe DKITMKJ.exe File created C:\windows\system\WICR.exe.bat DPNG.exe File opened for modification C:\windows\system\OXVO.exe ICKVH.exe File created C:\windows\system\THO.exe AMKJ.exe File opened for modification C:\windows\system\ZRH.exe RMU.exe File created C:\windows\system\ZRH.exe.bat RMU.exe File created C:\windows\FRCYW.exe.bat TOR.exe File opened for modification C:\windows\system\QCVRG.exe IOIKVK.exe File created C:\windows\system\EKZGLA.exe WWVZ.exe File opened for modification C:\windows\system\CQPIA.exe BNZU.exe File created C:\windows\WRZ.exe.bat ZYXYUQB.exe File opened for modification C:\windows\VYTQH.exe ANCZSFR.exe File created C:\windows\ZYXYUQB.exe WICR.exe File opened for modification C:\windows\system\XEF.exe YMQZA.exe File created C:\windows\system\OWEJKEX.exe.bat UJKL.exe File created C:\windows\VTUEBD.exe.bat EIDOBI.exe File opened for modification C:\windows\system\EKZGLA.exe WWVZ.exe File created C:\windows\system\FHVGTTS.exe.bat DKITMKJ.exe File created C:\windows\RXP.exe.bat ATRVGCI.exe File created C:\windows\DPNG.exe.bat GPLVR.exe File created C:\windows\system\BBFWRWE.exe.bat OYOF.exe File created C:\windows\GTBGWLG.exe.bat 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe File created C:\windows\system\RMU.exe WGTTV.exe File opened for modification C:\windows\system\OCBGS.exe GPKHYW.exe File created C:\windows\system\BPVMZ.exe EXTK.exe File created C:\windows\YOE.exe.bat ULT.exe File created C:\windows\system\RMU.exe.bat WGTTV.exe File created C:\windows\system\OCBGS.exe GPKHYW.exe File created C:\windows\system\BPVMZ.exe.bat EXTK.exe File opened for modification C:\windows\RXP.exe ATRVGCI.exe File created C:\windows\WRZ.exe ZYXYUQB.exe File opened for modification C:\windows\TVLI.exe OCBGS.exe File created C:\windows\FNECZ.exe KFVF.exe File created C:\windows\system\GPLVR.exe.bat GUSLH.exe File created C:\windows\system\SVUODN.exe KIHHSO.exe File opened for modification C:\windows\DZKQYEN.exe BBFWRWE.exe File opened for modification C:\windows\HFYRGI.exe ZRH.exe File created C:\windows\BRH.exe.bat CLBDOT.exe File created C:\windows\RXP.exe ATRVGCI.exe File opened for modification C:\windows\YOE.exe ULT.exe File created C:\windows\system\VXG.exe.bat UZM.exe File created C:\windows\system\FHVGTTS.exe DKITMKJ.exe File created C:\windows\ZCOUAE.exe.bat RXP.exe File opened for modification C:\windows\system\GABH.exe DZKQYEN.exe File opened for modification C:\windows\WUYGHZR.exe GTBGWLG.exe File created C:\windows\system\AMKJ.exe.bat OWEJKEX.exe File opened for modification C:\windows\DFHRJW.exe YEFPGSR.exe File opened for modification C:\windows\system\YIFHCK.exe ZXIZK.exe File created C:\windows\system\QCVRG.exe IOIKVK.exe File created C:\windows\system\OCBGS.exe.bat GPKHYW.exe File opened for modification C:\windows\BXR.exe CECCS.exe File created C:\windows\UZM.exe.bat YOE.exe File created C:\windows\VYTQH.exe.bat ANCZSFR.exe File created C:\windows\BNZU.exe.bat BXR.exe File opened for modification C:\windows\system\VXG.exe UZM.exe File created C:\windows\VYTQH.exe ANCZSFR.exe File created C:\windows\WUYGHZR.exe.bat GTBGWLG.exe File created C:\windows\system\YIFHCK.exe ZXIZK.exe File created C:\windows\system\CLBDOT.exe.bat BPVMZ.exe File created C:\windows\WWVZ.exe ZGHI.exe File created C:\windows\KFLHR.exe.bat EKZGLA.exe File created C:\windows\system\IWHQMPW.exe.bat VYTQH.exe File created C:\windows\OYOF.exe.bat ZLVJ.exe File created C:\windows\CST.exe.bat OXVO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4548 2152 WerFault.exe 83 440 3312 WerFault.exe 93 3296 4888 WerFault.exe 99 812 4332 WerFault.exe 104 2580 3496 WerFault.exe 109 1716 1208 WerFault.exe 114 4396 4264 WerFault.exe 119 4256 1692 WerFault.exe 124 3400 1760 WerFault.exe 131 3196 4508 WerFault.exe 138 2408 4440 WerFault.exe 143 3244 4332 WerFault.exe 148 2140 5032 WerFault.exe 154 5024 1252 WerFault.exe 159 3252 4164 WerFault.exe 164 2000 4312 WerFault.exe 171 2276 2840 WerFault.exe 176 4536 1680 WerFault.exe 181 5032 3584 WerFault.exe 186 1708 1080 WerFault.exe 191 2288 960 WerFault.exe 196 4084 1280 WerFault.exe 201 4040 3496 WerFault.exe 206 2616 4988 WerFault.exe 212 232 2752 WerFault.exe 218 4544 744 WerFault.exe 223 2000 228 WerFault.exe 228 2424 4196 WerFault.exe 233 2028 3356 WerFault.exe 238 4260 3552 WerFault.exe 243 864 376 WerFault.exe 249 2148 3940 WerFault.exe 254 1656 4660 WerFault.exe 260 2716 3864 WerFault.exe 266 1904 388 WerFault.exe 272 3904 2280 WerFault.exe 278 2000 688 WerFault.exe 283 4640 4764 WerFault.exe 288 3604 2788 WerFault.exe 293 4428 2356 WerFault.exe 298 2516 2976 WerFault.exe 303 3932 2908 WerFault.exe 308 1720 644 WerFault.exe 313 2372 3156 WerFault.exe 318 4368 748 WerFault.exe 323 1596 4976 WerFault.exe 328 2364 2128 WerFault.exe 333 4548 3292 WerFault.exe 338 3932 1892 WerFault.exe 343 3740 2000 WerFault.exe 348 5040 4640 WerFault.exe 353 2792 4920 WerFault.exe 358 2428 4264 WerFault.exe 363 368 3408 WerFault.exe 368 1708 3336 WerFault.exe 373 1852 4992 WerFault.exe 378 820 4944 WerFault.exe 383 4464 3668 WerFault.exe 388 3472 976 WerFault.exe 393 4100 3240 WerFault.exe 398 3020 4948 WerFault.exe 403 3408 1648 WerFault.exe 408 3336 1420 WerFault.exe 413 3932 2280 WerFault.exe 418 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GABH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OWEJKEX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KFLHR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GTBGWLG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BXR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZLVJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BPVMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZGHI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DFHRJW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SAY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YMQZA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QCVRG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FQUQOE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GPLVR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DZKQYEN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZCOUAE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPNG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FHVGTTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OXVO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OCBGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ITUY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IOIKVK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EKZGLA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VYTQH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZYXYUQB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RXP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICKVH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HFYRGI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANCZSFR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GPKHYW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OYOF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZXIZK.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 3312 GTBGWLG.exe 3312 GTBGWLG.exe 4888 WUYGHZR.exe 4888 WUYGHZR.exe 4332 CPKHNNZ.exe 4332 CPKHNNZ.exe 3496 RDP.exe 3496 RDP.exe 1208 WYHVV.exe 1208 WYHVV.exe 4264 UJKL.exe 4264 UJKL.exe 1692 OWEJKEX.exe 1692 OWEJKEX.exe 1760 AMKJ.exe 1760 AMKJ.exe 4508 THO.exe 4508 THO.exe 4440 EIDOBI.exe 4440 EIDOBI.exe 4332 VTUEBD.exe 4332 VTUEBD.exe 5032 WWKAPM.exe 5032 WWKAPM.exe 1252 YEFPGSR.exe 1252 YEFPGSR.exe 4164 DFHRJW.exe 4164 DFHRJW.exe 4312 SAY.exe 4312 SAY.exe 2840 QGM.exe 2840 QGM.exe 1680 WGTTV.exe 1680 WGTTV.exe 3584 RMU.exe 3584 RMU.exe 1080 ZRH.exe 1080 ZRH.exe 960 HFYRGI.exe 960 HFYRGI.exe 1280 ZXIZK.exe 1280 ZXIZK.exe 3496 YIFHCK.exe 3496 YIFHCK.exe 4988 TOR.exe 4988 TOR.exe 2752 FRCYW.exe 2752 FRCYW.exe 744 GPKHYW.exe 744 GPKHYW.exe 228 OCBGS.exe 228 OCBGS.exe 4196 TVLI.exe 4196 TVLI.exe 3356 HQBB.exe 3356 HQBB.exe 3552 IOIKVK.exe 3552 IOIKVK.exe 376 QCVRG.exe 376 QCVRG.exe 3940 EXTK.exe 3940 EXTK.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 3312 GTBGWLG.exe 3312 GTBGWLG.exe 4888 WUYGHZR.exe 4888 WUYGHZR.exe 4332 CPKHNNZ.exe 4332 CPKHNNZ.exe 3496 RDP.exe 3496 RDP.exe 1208 WYHVV.exe 1208 WYHVV.exe 4264 UJKL.exe 4264 UJKL.exe 1692 OWEJKEX.exe 1692 OWEJKEX.exe 1760 AMKJ.exe 1760 AMKJ.exe 4508 THO.exe 4508 THO.exe 4440 EIDOBI.exe 4440 EIDOBI.exe 4332 VTUEBD.exe 4332 VTUEBD.exe 5032 WWKAPM.exe 5032 WWKAPM.exe 1252 YEFPGSR.exe 1252 YEFPGSR.exe 4164 DFHRJW.exe 4164 DFHRJW.exe 4312 SAY.exe 4312 SAY.exe 2840 QGM.exe 2840 QGM.exe 1680 WGTTV.exe 1680 WGTTV.exe 3584 RMU.exe 3584 RMU.exe 1080 ZRH.exe 1080 ZRH.exe 960 HFYRGI.exe 960 HFYRGI.exe 1280 ZXIZK.exe 1280 ZXIZK.exe 3496 YIFHCK.exe 3496 YIFHCK.exe 4988 TOR.exe 4988 TOR.exe 2752 FRCYW.exe 2752 FRCYW.exe 744 GPKHYW.exe 744 GPKHYW.exe 228 OCBGS.exe 228 OCBGS.exe 4196 TVLI.exe 4196 TVLI.exe 3356 HQBB.exe 3356 HQBB.exe 3552 IOIKVK.exe 3552 IOIKVK.exe 376 QCVRG.exe 376 QCVRG.exe 3940 EXTK.exe 3940 EXTK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 1384 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 89 PID 2152 wrote to memory of 1384 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 89 PID 2152 wrote to memory of 1384 2152 31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe 89 PID 1384 wrote to memory of 3312 1384 cmd.exe 93 PID 1384 wrote to memory of 3312 1384 cmd.exe 93 PID 1384 wrote to memory of 3312 1384 cmd.exe 93 PID 3312 wrote to memory of 2104 3312 GTBGWLG.exe 95 PID 3312 wrote to memory of 2104 3312 GTBGWLG.exe 95 PID 3312 wrote to memory of 2104 3312 GTBGWLG.exe 95 PID 2104 wrote to memory of 4888 2104 cmd.exe 99 PID 2104 wrote to memory of 4888 2104 cmd.exe 99 PID 2104 wrote to memory of 4888 2104 cmd.exe 99 PID 4888 wrote to memory of 3540 4888 WUYGHZR.exe 100 PID 4888 wrote to memory of 3540 4888 WUYGHZR.exe 100 PID 4888 wrote to memory of 3540 4888 WUYGHZR.exe 100 PID 3540 wrote to memory of 4332 3540 cmd.exe 104 PID 3540 wrote to memory of 4332 3540 cmd.exe 104 PID 3540 wrote to memory of 4332 3540 cmd.exe 104 PID 4332 wrote to memory of 4464 4332 CPKHNNZ.exe 105 PID 4332 wrote to memory of 4464 4332 CPKHNNZ.exe 105 PID 4332 wrote to memory of 4464 4332 CPKHNNZ.exe 105 PID 4464 wrote to memory of 3496 4464 cmd.exe 109 PID 4464 wrote to memory of 3496 4464 cmd.exe 109 PID 4464 wrote to memory of 3496 4464 cmd.exe 109 PID 3496 wrote to memory of 644 3496 RDP.exe 110 PID 3496 wrote to memory of 644 3496 RDP.exe 110 PID 3496 wrote to memory of 644 3496 RDP.exe 110 PID 644 wrote to memory of 1208 644 cmd.exe 114 PID 644 wrote to memory of 1208 644 cmd.exe 114 PID 644 wrote to memory of 1208 644 cmd.exe 114 PID 1208 wrote to memory of 4764 1208 WYHVV.exe 115 PID 1208 wrote to memory of 4764 1208 WYHVV.exe 115 PID 1208 wrote to memory of 4764 1208 WYHVV.exe 115 PID 4764 wrote to memory of 4264 4764 cmd.exe 119 PID 4764 wrote to memory of 4264 4764 cmd.exe 119 PID 4764 wrote to memory of 4264 4764 cmd.exe 119 PID 4264 wrote to memory of 3936 4264 UJKL.exe 120 PID 4264 wrote to memory of 3936 4264 UJKL.exe 120 PID 4264 wrote to memory of 3936 4264 UJKL.exe 120 PID 3936 wrote to memory of 1692 3936 cmd.exe 124 PID 3936 wrote to memory of 1692 3936 cmd.exe 124 PID 3936 wrote to memory of 1692 3936 cmd.exe 124 PID 1692 wrote to memory of 1304 1692 OWEJKEX.exe 127 PID 1692 wrote to memory of 1304 1692 OWEJKEX.exe 127 PID 1692 wrote to memory of 1304 1692 OWEJKEX.exe 127 PID 1304 wrote to memory of 1760 1304 cmd.exe 131 PID 1304 wrote to memory of 1760 1304 cmd.exe 131 PID 1304 wrote to memory of 1760 1304 cmd.exe 131 PID 1760 wrote to memory of 4160 1760 AMKJ.exe 133 PID 1760 wrote to memory of 4160 1760 AMKJ.exe 133 PID 1760 wrote to memory of 4160 1760 AMKJ.exe 133 PID 4160 wrote to memory of 4508 4160 cmd.exe 138 PID 4160 wrote to memory of 4508 4160 cmd.exe 138 PID 4160 wrote to memory of 4508 4160 cmd.exe 138 PID 4508 wrote to memory of 4844 4508 THO.exe 139 PID 4508 wrote to memory of 4844 4508 THO.exe 139 PID 4508 wrote to memory of 4844 4508 THO.exe 139 PID 4844 wrote to memory of 4440 4844 cmd.exe 143 PID 4844 wrote to memory of 4440 4844 cmd.exe 143 PID 4844 wrote to memory of 4440 4844 cmd.exe 143 PID 4440 wrote to memory of 1112 4440 EIDOBI.exe 173 PID 4440 wrote to memory of 1112 4440 EIDOBI.exe 173 PID 4440 wrote to memory of 1112 4440 EIDOBI.exe 173 PID 1112 wrote to memory of 4332 1112 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GTBGWLG.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\windows\GTBGWLG.exeC:\windows\GTBGWLG.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WUYGHZR.exe.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\windows\WUYGHZR.exeC:\windows\WUYGHZR.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPKHNNZ.exe.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\windows\SysWOW64\CPKHNNZ.exeC:\windows\system32\CPKHNNZ.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RDP.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\windows\system\RDP.exeC:\windows\system\RDP.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYHVV.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\windows\SysWOW64\WYHVV.exeC:\windows\system32\WYHVV.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJKL.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\windows\SysWOW64\UJKL.exeC:\windows\system32\UJKL.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWEJKEX.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\windows\system\OWEJKEX.exeC:\windows\system\OWEJKEX.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMKJ.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\windows\system\AMKJ.exeC:\windows\system\AMKJ.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\THO.exe.bat" "18⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\windows\system\THO.exeC:\windows\system\THO.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EIDOBI.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\windows\system\EIDOBI.exeC:\windows\system\EIDOBI.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VTUEBD.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\windows\VTUEBD.exeC:\windows\VTUEBD.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWKAPM.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\windows\SysWOW64\WWKAPM.exeC:\windows\system32\WWKAPM.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YEFPGSR.exe.bat" "26⤵PID:4832
-
C:\windows\SysWOW64\YEFPGSR.exeC:\windows\system32\YEFPGSR.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DFHRJW.exe.bat" "28⤵PID:4456
-
C:\windows\DFHRJW.exeC:\windows\DFHRJW.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SAY.exe.bat" "30⤵PID:1692
-
C:\windows\SAY.exeC:\windows\SAY.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QGM.exe.bat" "32⤵PID:4080
-
C:\windows\SysWOW64\QGM.exeC:\windows\system32\QGM.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGTTV.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\windows\SysWOW64\WGTTV.exeC:\windows\system32\WGTTV.exe35⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMU.exe.bat" "36⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\windows\system\RMU.exeC:\windows\system\RMU.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZRH.exe.bat" "38⤵PID:2752
-
C:\windows\system\ZRH.exeC:\windows\system\ZRH.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HFYRGI.exe.bat" "40⤵PID:1424
-
C:\windows\HFYRGI.exeC:\windows\HFYRGI.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZXIZK.exe.bat" "42⤵
- System Location Discovery: System Language Discovery
PID:4164 -
C:\windows\system\ZXIZK.exeC:\windows\system\ZXIZK.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YIFHCK.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\windows\system\YIFHCK.exeC:\windows\system\YIFHCK.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TOR.exe.bat" "46⤵PID:696
-
C:\windows\system\TOR.exeC:\windows\system\TOR.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FRCYW.exe.bat" "48⤵PID:3664
-
C:\windows\FRCYW.exeC:\windows\FRCYW.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPKHYW.exe.bat" "50⤵PID:3304
-
C:\windows\SysWOW64\GPKHYW.exeC:\windows\system32\GPKHYW.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OCBGS.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\windows\system\OCBGS.exeC:\windows\system\OCBGS.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TVLI.exe.bat" "54⤵PID:4380
-
C:\windows\TVLI.exeC:\windows\TVLI.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQBB.exe.bat" "56⤵PID:2820
-
C:\windows\SysWOW64\HQBB.exeC:\windows\system32\HQBB.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IOIKVK.exe.bat" "58⤵PID:1684
-
C:\windows\system\IOIKVK.exeC:\windows\system\IOIKVK.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QCVRG.exe.bat" "60⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\windows\system\QCVRG.exeC:\windows\system\QCVRG.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "62⤵PID:4768
-
C:\windows\EXTK.exeC:\windows\EXTK.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BPVMZ.exe.bat" "64⤵PID:3932
-
C:\windows\system\BPVMZ.exeC:\windows\system\BPVMZ.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CLBDOT.exe.bat" "66⤵PID:3852
-
C:\windows\system\CLBDOT.exeC:\windows\system\CLBDOT.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BRH.exe.bat" "68⤵PID:4440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:4196
-
-
C:\windows\BRH.exeC:\windows\BRH.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGHI.exe.bat" "70⤵PID:4160
-
C:\windows\system\ZGHI.exeC:\windows\system\ZGHI.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWVZ.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\windows\WWVZ.exeC:\windows\WWVZ.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EKZGLA.exe.bat" "74⤵PID:644
-
C:\windows\system\EKZGLA.exeC:\windows\system\EKZGLA.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KFLHR.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\windows\KFLHR.exeC:\windows\KFLHR.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LVTQBHD.exe.bat" "78⤵PID:4252
-
C:\windows\SysWOW64\LVTQBHD.exeC:\windows\system32\LVTQBHD.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREG.exe.bat" "80⤵PID:556
-
C:\windows\SysWOW64\FREG.exeC:\windows\system32\FREG.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NWRM.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\windows\SysWOW64\NWRM.exeC:\windows\system32\NWRM.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DKITMKJ.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:376
-
-
C:\windows\SysWOW64\DKITMKJ.exeC:\windows\system32\DKITMKJ.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FHVGTTS.exe.bat" "86⤵PID:2292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:2280
-
-
C:\windows\system\FHVGTTS.exeC:\windows\system\FHVGTTS.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AFVRD.exe.bat" "88⤵PID:4544
-
C:\windows\AFVRD.exeC:\windows\AFVRD.exe89⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ITUY.exe.bat" "90⤵PID:1360
-
C:\windows\SysWOW64\ITUY.exeC:\windows\system32\ITUY.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NLW.exe.bat" "92⤵PID:2792
-
C:\windows\system\NLW.exeC:\windows\system\NLW.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QBR.exe.bat" "94⤵PID:2428
-
C:\windows\system\QBR.exeC:\windows\system\QBR.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CECCS.exe.bat" "96⤵PID:1928
-
C:\windows\CECCS.exeC:\windows\CECCS.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BXR.exe.bat" "98⤵PID:5052
-
C:\windows\BXR.exeC:\windows\BXR.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BNZU.exe.bat" "100⤵PID:4432
-
C:\windows\BNZU.exeC:\windows\BNZU.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CQPIA.exe.bat" "102⤵PID:4628
-
C:\windows\system\CQPIA.exeC:\windows\system\CQPIA.exe103⤵
- Checks computer location settings
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLBI.exe.bat" "104⤵PID:3696
-
C:\windows\QLBI.exeC:\windows\QLBI.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWYOY.exe.bat" "106⤵PID:4160
-
C:\windows\SysWOW64\CWYOY.exeC:\windows\system32\CWYOY.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKXMDS.exe.bat" "108⤵PID:4428
-
C:\windows\SysWOW64\WKXMDS.exeC:\windows\system32\WKXMDS.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KFVF.exe.bat" "110⤵PID:1128
-
C:\windows\KFVF.exeC:\windows\KFVF.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FNECZ.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\windows\FNECZ.exeC:\windows\FNECZ.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FQUQOE.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\windows\SysWOW64\FQUQOE.exeC:\windows\system32\FQUQOE.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ATRVGCI.exe.bat" "116⤵PID:3728
-
C:\windows\SysWOW64\ATRVGCI.exeC:\windows\system32\ATRVGCI.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RXP.exe.bat" "118⤵PID:2028
-
C:\windows\RXP.exeC:\windows\RXP.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZCOUAE.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\windows\ZCOUAE.exeC:\windows\ZCOUAE.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-