Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 22:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe
-
Size
208KB
-
MD5
95514abf158b6187fa105d8ee8d55138
-
SHA1
006ef49b6642bafd83b108e10abb0c3de39a4346
-
SHA256
6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302
-
SHA512
93d118c560c61eb3bcce2520f684c0d976aa27d9c43eb68a03b0758be8a8f072f99c1e38649c740764ce2c29325c703dd70b8d79f1a743da8b0d3b1600a400a5
-
SSDEEP
3072:OTVuc3MLAZHs5+4nOKngxYCSWj5jtO8ieDuehAd4NLthEjQT6:UucsA6EGOKgVXFjtbHDLhAdQEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GSQXY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YVBI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NJZXNMC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NIT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YBWP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AGN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MGK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ENUSKIS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CKVBTJF.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation BXJTKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation THCT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation JOBDWG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NUD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XRY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LGTL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FYD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GLWQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WHHBAP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AKFP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation EQYV.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation UTSOR.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HOVLJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ITOBKVA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IRRODK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MBSIP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FREG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GFCKAK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XTS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation EUIOWSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AERMCN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation BBAUTV.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HWGIGQN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IQUE.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PAHCLG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FUHADP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TCNDN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OXFK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KKMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation EGSFNB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ASNH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FMIUM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WWVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DGBWB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XCF.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WPQK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation INPRCZ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XYPMB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation STMZYJP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PMJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FPQDQO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WCUJDP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation VTSY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XYHPO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DFGY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CCB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SECAJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NQR.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LYLCM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HBMJA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WXBJSGY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CANP.exe -
Executes dropped EXE 64 IoCs
pid Process 4716 AKFP.exe 3356 EKTJHZO.exe 3616 KNX.exe 4604 SBXW.exe 1568 HWGIGQN.exe 712 MYCHLP.exe 4240 SZK.exe 4364 RKNLDPF.exe 428 ASPQ.exe 4720 KQC.exe 1776 GVA.exe 4248 ITOBKVA.exe 4940 LGTL.exe 4964 QJP.exe 3744 IRRODK.exe 712 AUU.exe 4240 ZKONEFV.exe 220 QTQ.exe 3176 UBW.exe 3400 IGUXAEV.exe 3944 HRTNAZR.exe 3128 WPQK.exe 876 CPYY.exe 4740 WKDHIK.exe 3080 OKFU.exe 4676 XYPMB.exe 1436 IQSXCM.exe 3700 LEX.exe 3696 UMZU.exe 4404 OZEDAR.exe 4752 EUNH.exe 4844 NDPNWJF.exe 2512 IQUE.exe 5088 NQCSP.exe 1672 MBSIP.exe 3184 TWCUAKZ.exe 5052 FMIUM.exe 1224 PMK.exe 3496 UNS.exe 1564 ENUSKIS.exe 2448 EQYV.exe 1856 QJBOY.exe 3500 KWFYIFY.exe 1524 FRK.exe 1504 WWVZ.exe 3896 RSA.exe 1128 CKVBTJF.exe 2264 WYZL.exe 2008 MOAKCEQ.exe 1936 FREG.exe 1532 WWPYXQF.exe 1736 FER.exe 2752 LFYRRQ.exe 3116 WXBJSGY.exe 5060 FYD.exe 1848 LYLCM.exe 4336 TLPRX.exe 3496 XTS.exe 1920 ZWTG.exe 2120 IXVLO.exe 3948 PAHCLG.exe 4936 JNM.exe 3196 CQPIA.exe 2396 TZRVEB.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\ARZHJD.exe.bat DLTKCT.exe File created C:\windows\SysWOW64\FPQDQO.exe.bat GXHK.exe File created C:\windows\SysWOW64\VTSY.exe.bat PSKKBHC.exe File opened for modification C:\windows\SysWOW64\FXIYMLD.exe LJDPC.exe File opened for modification C:\windows\SysWOW64\MNT.exe KQO.exe File created C:\windows\SysWOW64\QVXX.exe.bat TXZA.exe File created C:\windows\SysWOW64\XSMJ.exe GKK.exe File opened for modification C:\windows\SysWOW64\FRK.exe KWFYIFY.exe File opened for modification C:\windows\SysWOW64\THCT.exe XJXWF.exe File created C:\windows\SysWOW64\LOUP.exe TGSKKGH.exe File created C:\windows\SysWOW64\RGVFPEF.exe.bat AGTAL.exe File created C:\windows\SysWOW64\HPJWJP.exe KKMZ.exe File created C:\windows\SysWOW64\WKDHIK.exe CPYY.exe File created C:\windows\SysWOW64\EBDCBLY.exe YBWP.exe File created C:\windows\SysWOW64\UMZU.exe LEX.exe File created C:\windows\SysWOW64\CDIIPO.exe YVBI.exe File created C:\windows\SysWOW64\KKMZ.exe.bat GCXZPND.exe File created C:\windows\SysWOW64\OXFK.exe.bat WPDFHGW.exe File opened for modification C:\windows\SysWOW64\BYUF.exe CNDH.exe File created C:\windows\SysWOW64\KQC.exe ASPQ.exe File created C:\windows\SysWOW64\FER.exe.bat WWPYXQF.exe File created C:\windows\SysWOW64\IZRLY.exe XGWS.exe File opened for modification C:\windows\SysWOW64\CDIIPO.exe YVBI.exe File opened for modification C:\windows\SysWOW64\QSJE.exe HKH.exe File opened for modification C:\windows\SysWOW64\ASPQ.exe RKNLDPF.exe File opened for modification C:\windows\SysWOW64\CRBYZM.exe YBUQ.exe File created C:\windows\SysWOW64\DLTKCT.exe DGBWB.exe File created C:\windows\SysWOW64\ASPQ.exe RKNLDPF.exe File created C:\windows\SysWOW64\SFHLD.exe.bat YKC.exe File created C:\windows\SysWOW64\FRK.exe KWFYIFY.exe File opened for modification C:\windows\SysWOW64\TUDIO.exe THCT.exe File opened for modification C:\windows\SysWOW64\SCDNSMK.exe FAZ.exe File opened for modification C:\windows\SysWOW64\HOVLJ.exe STMZYJP.exe File created C:\windows\SysWOW64\MPG.exe.bat IZRLY.exe File opened for modification C:\windows\SysWOW64\YVBI.exe LKF.exe File created C:\windows\SysWOW64\GLWQ.exe.bat CDIIPO.exe File created C:\windows\SysWOW64\QVXX.exe TXZA.exe File created C:\windows\SysWOW64\NOIZMQJ.exe HOALD.exe File created C:\windows\SysWOW64\IQSXCM.exe XYPMB.exe File opened for modification C:\windows\SysWOW64\FER.exe WWPYXQF.exe File created C:\windows\SysWOW64\IZRLY.exe.bat XGWS.exe File created C:\windows\SysWOW64\HOVLJ.exe.bat STMZYJP.exe File created C:\windows\SysWOW64\CRBYZM.exe YBUQ.exe File opened for modification C:\windows\SysWOW64\QVXX.exe TXZA.exe File opened for modification C:\windows\SysWOW64\SFHLD.exe YKC.exe File opened for modification C:\windows\SysWOW64\WKDHIK.exe CPYY.exe File opened for modification C:\windows\SysWOW64\MMX.exe AERMCN.exe File created C:\windows\SysWOW64\LJDPC.exe.bat WOUKRZF.exe File created C:\windows\SysWOW64\FER.exe WWPYXQF.exe File created C:\windows\SysWOW64\PAHCLG.exe.bat OXDZFQY.exe File opened for modification C:\windows\SysWOW64\HLL.exe HFTWHIA.exe File created C:\windows\SysWOW64\ASLJAW.exe XCF.exe File created C:\windows\SysWOW64\TUDIO.exe.bat THCT.exe File opened for modification C:\windows\SysWOW64\IZRLY.exe XGWS.exe File created C:\windows\SysWOW64\WCQ.exe QBJUWK.exe File opened for modification C:\windows\SysWOW64\LJDPC.exe WOUKRZF.exe File created C:\windows\SysWOW64\ASPQ.exe.bat RKNLDPF.exe File created C:\windows\SysWOW64\WKDHIK.exe.bat CPYY.exe File created C:\windows\SysWOW64\RJPIWLU.exe.bat RDXUVYZ.exe File created C:\windows\SysWOW64\QSJE.exe.bat HKH.exe File opened for modification C:\windows\SysWOW64\FYD.exe WXBJSGY.exe File opened for modification C:\windows\SysWOW64\LBS.exe ZIXSYY.exe File created C:\windows\SysWOW64\GLWQ.exe CDIIPO.exe File created C:\windows\SysWOW64\NJZXNMC.exe.bat CQWMFF.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\HFTWHIA.exe QSJE.exe File created C:\windows\GCXZPND.exe.bat EEEWRY.exe File created C:\windows\AWWMWF.exe.bat UTSOR.exe File created C:\windows\system\GFCKAK.exe MSXB.exe File opened for modification C:\windows\ASNH.exe FXIYMLD.exe File created C:\windows\system\DHGIZO.exe ZZZ.exe File created C:\windows\system\RILWQDT.exe FPQDQO.exe File created C:\windows\ZWTG.exe XTS.exe File created C:\windows\ZWTG.exe.bat XTS.exe File opened for modification C:\windows\system\FKQPY.exe LXL.exe File created C:\windows\URDDLKI.exe.bat CRBYZM.exe File created C:\windows\XHJDP.exe URDDLKI.exe File opened for modification C:\windows\QLEE.exe KLW.exe File created C:\windows\system\MYCHLP.exe.bat HWGIGQN.exe File created C:\windows\IGUXAEV.exe.bat UBW.exe File created C:\windows\system\PSKKBHC.exe.bat GSQXY.exe File opened for modification C:\windows\system\AERMCN.exe QWPH.exe File created C:\windows\LYLCM.exe FYD.exe File opened for modification C:\windows\WNZQBCP.exe WHHBAP.exe File created C:\windows\KYJNF.exe QLEE.exe File opened for modification C:\windows\GSQXY.exe CCB.exe File created C:\windows\XCF.exe.bat CPAZDMC.exe File created C:\windows\YFPHULN.exe SFHLD.exe File created C:\windows\system\ITOBKVA.exe GVA.exe File created C:\windows\system\KWFYIFY.exe.bat QJBOY.exe File created C:\windows\CNDH.exe.bat YFPHULN.exe File opened for modification C:\windows\WPDFHGW.exe HUTBO.exe File created C:\windows\system\NUD.exe.bat BBAUTV.exe File opened for modification C:\windows\system\YBUQ.exe NJZXNMC.exe File opened for modification C:\windows\XHJDP.exe URDDLKI.exe File created C:\windows\BXJTKQ.exe HBMJA.exe File created C:\windows\KMB.exe KYJNF.exe File created C:\windows\system\XRY.exe.bat RQQ.exe File opened for modification C:\windows\TWCUAKZ.exe MBSIP.exe File created C:\windows\CANP.exe.bat WYJ.exe File opened for modification C:\windows\system\INPRCZ.exe TSF.exe File created C:\windows\FMIUM.exe TWCUAKZ.exe File created C:\windows\system\WSIS.exe.bat KAN.exe File opened for modification C:\windows\IGUXAEV.exe UBW.exe File created C:\windows\ZIXSYY.exe WSIS.exe File opened for modification C:\windows\TGSKKGH.exe INPRCZ.exe File created C:\windows\system\YBUQ.exe.bat NJZXNMC.exe File created C:\windows\system\AGN.exe.bat HDWTC.exe File created C:\windows\system\CCB.exe WCUJDP.exe File opened for modification C:\windows\system\HWGIGQN.exe SBXW.exe File opened for modification C:\windows\system\LGTL.exe ITOBKVA.exe File created C:\windows\system\OKFU.exe WKDHIK.exe File opened for modification C:\windows\NQCSP.exe IQUE.exe File opened for modification C:\windows\LFYRRQ.exe FER.exe File opened for modification C:\windows\system\TLPRX.exe LYLCM.exe File created C:\windows\DFGY.exe NPINLTZ.exe File created C:\windows\ZIXSYY.exe.bat WSIS.exe File opened for modification C:\windows\IRRODK.exe QJP.exe File created C:\windows\WPQK.exe HRTNAZR.exe File opened for modification C:\windows\system\KTNW.exe ASLJAW.exe File opened for modification C:\windows\YFPHULN.exe SFHLD.exe File created C:\windows\system\YOIM.exe.bat EBDCBLY.exe File opened for modification C:\windows\system\QPASK.exe QJADI.exe File created C:\windows\EGSFNB.exe KTNW.exe File created C:\windows\ASNH.exe.bat FXIYMLD.exe File created C:\windows\system\FHBD.exe.bat MPG.exe File created C:\windows\IYYHCPT.exe.bat CYQU.exe File opened for modification C:\windows\system\CPAZDMC.exe NUD.exe File created C:\windows\WXBJSGY.exe.bat LFYRRQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2616 1728 WerFault.exe 82 3468 4716 WerFault.exe 89 3632 3356 WerFault.exe 96 3524 3616 WerFault.exe 101 1304 4604 WerFault.exe 106 4468 1568 WerFault.exe 111 4980 712 WerFault.exe 116 4832 4240 WerFault.exe 121 4956 4364 WerFault.exe 126 3700 428 WerFault.exe 131 4440 4720 WerFault.exe 135 2692 1776 WerFault.exe 141 4164 4248 WerFault.exe 146 828 4940 WerFault.exe 151 4120 4964 WerFault.exe 156 4860 3744 WerFault.exe 161 2368 712 WerFault.exe 166 1832 4240 WerFault.exe 171 4608 220 WerFault.exe 176 5084 3176 WerFault.exe 181 2608 3400 WerFault.exe 186 4784 3944 WerFault.exe 191 3256 3128 WerFault.exe 196 4976 876 WerFault.exe 201 2968 4740 WerFault.exe 206 3872 3080 WerFault.exe 211 3748 4676 WerFault.exe 216 3252 1436 WerFault.exe 221 1744 3700 WerFault.exe 226 440 3696 WerFault.exe 231 3088 4404 WerFault.exe 236 3296 4752 WerFault.exe 241 4120 4844 WerFault.exe 246 1940 2512 WerFault.exe 251 2596 5088 WerFault.exe 256 2552 1672 WerFault.exe 261 1172 3184 WerFault.exe 266 1576 5052 WerFault.exe 271 1496 1224 WerFault.exe 276 3400 3496 WerFault.exe 281 4248 1564 WerFault.exe 288 4796 2448 WerFault.exe 292 3744 1856 WerFault.exe 298 3376 3500 WerFault.exe 303 3552 1524 WerFault.exe 308 5100 1504 WerFault.exe 313 1744 3896 WerFault.exe 318 512 1128 WerFault.exe 323 1104 2264 WerFault.exe 328 2536 2008 WerFault.exe 333 3304 1936 WerFault.exe 338 3744 1532 WerFault.exe 343 3080 1736 WerFault.exe 347 4420 2752 WerFault.exe 352 4076 3116 WerFault.exe 358 3824 5060 WerFault.exe 363 4164 1848 WerFault.exe 368 4396 4336 WerFault.exe 374 3628 3496 WerFault.exe 380 4432 1920 WerFault.exe 385 3840 2120 WerFault.exe 390 60 3620 WerFault.exe 395 2588 3948 WerFault.exe 400 3108 4936 WerFault.exe 405 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGUXAEV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TSF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QVXX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARZHJD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CQPIA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PSKKBHC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HFTWHIA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FMIUM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AKFP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HLL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTUDW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PMK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KWFYIFY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STMZYJP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BBAUTV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AGTAL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INPRCZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XHJDP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HDWTC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UMZU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HOVLJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENUSKIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAOPYL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XCF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WYZL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GXHK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XYPMB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KKMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KNX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HRTNAZR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BXJTKQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 4716 AKFP.exe 4716 AKFP.exe 3356 EKTJHZO.exe 3356 EKTJHZO.exe 3616 KNX.exe 3616 KNX.exe 4604 SBXW.exe 4604 SBXW.exe 1568 HWGIGQN.exe 1568 HWGIGQN.exe 712 MYCHLP.exe 712 MYCHLP.exe 4240 SZK.exe 4240 SZK.exe 4364 RKNLDPF.exe 4364 RKNLDPF.exe 428 ASPQ.exe 428 ASPQ.exe 4720 KQC.exe 4720 KQC.exe 1776 GVA.exe 1776 GVA.exe 4248 ITOBKVA.exe 4248 ITOBKVA.exe 4940 LGTL.exe 4940 LGTL.exe 4964 QJP.exe 4964 QJP.exe 3744 IRRODK.exe 3744 IRRODK.exe 712 AUU.exe 712 AUU.exe 4240 ZKONEFV.exe 4240 ZKONEFV.exe 220 QTQ.exe 220 QTQ.exe 3176 UBW.exe 3176 UBW.exe 3400 IGUXAEV.exe 3400 IGUXAEV.exe 3944 HRTNAZR.exe 3944 HRTNAZR.exe 3128 WPQK.exe 3128 WPQK.exe 876 CPYY.exe 876 CPYY.exe 4740 WKDHIK.exe 4740 WKDHIK.exe 3080 OKFU.exe 3080 OKFU.exe 4676 XYPMB.exe 4676 XYPMB.exe 1436 IQSXCM.exe 1436 IQSXCM.exe 3700 LEX.exe 3700 LEX.exe 3696 UMZU.exe 3696 UMZU.exe 4404 OZEDAR.exe 4404 OZEDAR.exe 4752 EUNH.exe 4752 EUNH.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 4716 AKFP.exe 4716 AKFP.exe 3356 EKTJHZO.exe 3356 EKTJHZO.exe 3616 KNX.exe 3616 KNX.exe 4604 SBXW.exe 4604 SBXW.exe 1568 HWGIGQN.exe 1568 HWGIGQN.exe 712 MYCHLP.exe 712 MYCHLP.exe 4240 SZK.exe 4240 SZK.exe 4364 RKNLDPF.exe 4364 RKNLDPF.exe 428 ASPQ.exe 428 ASPQ.exe 4720 KQC.exe 4720 KQC.exe 1776 GVA.exe 1776 GVA.exe 4248 ITOBKVA.exe 4248 ITOBKVA.exe 4940 LGTL.exe 4940 LGTL.exe 4964 QJP.exe 4964 QJP.exe 3744 IRRODK.exe 3744 IRRODK.exe 712 AUU.exe 712 AUU.exe 4240 ZKONEFV.exe 4240 ZKONEFV.exe 220 QTQ.exe 220 QTQ.exe 3176 UBW.exe 3176 UBW.exe 3400 IGUXAEV.exe 3400 IGUXAEV.exe 3944 HRTNAZR.exe 3944 HRTNAZR.exe 3128 WPQK.exe 3128 WPQK.exe 876 CPYY.exe 876 CPYY.exe 4740 WKDHIK.exe 4740 WKDHIK.exe 3080 OKFU.exe 3080 OKFU.exe 4676 XYPMB.exe 4676 XYPMB.exe 1436 IQSXCM.exe 1436 IQSXCM.exe 3700 LEX.exe 3700 LEX.exe 3696 UMZU.exe 3696 UMZU.exe 4404 OZEDAR.exe 4404 OZEDAR.exe 4752 EUNH.exe 4752 EUNH.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 4812 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 85 PID 1728 wrote to memory of 4812 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 85 PID 1728 wrote to memory of 4812 1728 6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe 85 PID 4812 wrote to memory of 4716 4812 cmd.exe 89 PID 4812 wrote to memory of 4716 4812 cmd.exe 89 PID 4812 wrote to memory of 4716 4812 cmd.exe 89 PID 4716 wrote to memory of 4916 4716 AKFP.exe 92 PID 4716 wrote to memory of 4916 4716 AKFP.exe 92 PID 4716 wrote to memory of 4916 4716 AKFP.exe 92 PID 4916 wrote to memory of 3356 4916 cmd.exe 96 PID 4916 wrote to memory of 3356 4916 cmd.exe 96 PID 4916 wrote to memory of 3356 4916 cmd.exe 96 PID 3356 wrote to memory of 1496 3356 EKTJHZO.exe 97 PID 3356 wrote to memory of 1496 3356 EKTJHZO.exe 97 PID 3356 wrote to memory of 1496 3356 EKTJHZO.exe 97 PID 1496 wrote to memory of 3616 1496 cmd.exe 101 PID 1496 wrote to memory of 3616 1496 cmd.exe 101 PID 1496 wrote to memory of 3616 1496 cmd.exe 101 PID 3616 wrote to memory of 3128 3616 KNX.exe 102 PID 3616 wrote to memory of 3128 3616 KNX.exe 102 PID 3616 wrote to memory of 3128 3616 KNX.exe 102 PID 3128 wrote to memory of 4604 3128 cmd.exe 106 PID 3128 wrote to memory of 4604 3128 cmd.exe 106 PID 3128 wrote to memory of 4604 3128 cmd.exe 106 PID 4604 wrote to memory of 2836 4604 SBXW.exe 107 PID 4604 wrote to memory of 2836 4604 SBXW.exe 107 PID 4604 wrote to memory of 2836 4604 SBXW.exe 107 PID 2836 wrote to memory of 1568 2836 cmd.exe 111 PID 2836 wrote to memory of 1568 2836 cmd.exe 111 PID 2836 wrote to memory of 1568 2836 cmd.exe 111 PID 1568 wrote to memory of 1936 1568 HWGIGQN.exe 112 PID 1568 wrote to memory of 1936 1568 HWGIGQN.exe 112 PID 1568 wrote to memory of 1936 1568 HWGIGQN.exe 112 PID 1936 wrote to memory of 712 1936 cmd.exe 116 PID 1936 wrote to memory of 712 1936 cmd.exe 116 PID 1936 wrote to memory of 712 1936 cmd.exe 116 PID 712 wrote to memory of 1160 712 MYCHLP.exe 117 PID 712 wrote to memory of 1160 712 MYCHLP.exe 117 PID 712 wrote to memory of 1160 712 MYCHLP.exe 117 PID 1160 wrote to memory of 4240 1160 cmd.exe 121 PID 1160 wrote to memory of 4240 1160 cmd.exe 121 PID 1160 wrote to memory of 4240 1160 cmd.exe 121 PID 4240 wrote to memory of 2576 4240 SZK.exe 122 PID 4240 wrote to memory of 2576 4240 SZK.exe 122 PID 4240 wrote to memory of 2576 4240 SZK.exe 122 PID 2576 wrote to memory of 4364 2576 cmd.exe 126 PID 2576 wrote to memory of 4364 2576 cmd.exe 126 PID 2576 wrote to memory of 4364 2576 cmd.exe 126 PID 4364 wrote to memory of 2848 4364 RKNLDPF.exe 127 PID 4364 wrote to memory of 2848 4364 RKNLDPF.exe 127 PID 4364 wrote to memory of 2848 4364 RKNLDPF.exe 127 PID 2848 wrote to memory of 428 2848 cmd.exe 131 PID 2848 wrote to memory of 428 2848 cmd.exe 131 PID 2848 wrote to memory of 428 2848 cmd.exe 131 PID 428 wrote to memory of 2588 428 ASPQ.exe 132 PID 428 wrote to memory of 2588 428 ASPQ.exe 132 PID 428 wrote to memory of 2588 428 ASPQ.exe 132 PID 2588 wrote to memory of 4720 2588 cmd.exe 135 PID 2588 wrote to memory of 4720 2588 cmd.exe 135 PID 2588 wrote to memory of 4720 2588 cmd.exe 135 PID 4720 wrote to memory of 2528 4720 KQC.exe 137 PID 4720 wrote to memory of 2528 4720 KQC.exe 137 PID 4720 wrote to memory of 2528 4720 KQC.exe 137 PID 2528 wrote to memory of 1776 2528 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe"C:\Users\Admin\AppData\Local\Temp\6b3f65c9f42fe644caee362006ee4f47d6a1dbb274dd4e2fce55f6869fd5e302.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AKFP.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\windows\system\AKFP.exeC:\windows\system\AKFP.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EKTJHZO.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\windows\EKTJHZO.exeC:\windows\EKTJHZO.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KNX.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\windows\KNX.exeC:\windows\KNX.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SBXW.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\windows\SBXW.exeC:\windows\SBXW.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HWGIGQN.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\windows\system\HWGIGQN.exeC:\windows\system\HWGIGQN.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MYCHLP.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\windows\system\MYCHLP.exeC:\windows\system\MYCHLP.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SZK.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\windows\system\SZK.exeC:\windows\system\SZK.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKNLDPF.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\windows\SysWOW64\RKNLDPF.exeC:\windows\system32\RKNLDPF.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASPQ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\windows\SysWOW64\ASPQ.exeC:\windows\system32\ASPQ.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQC.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\windows\SysWOW64\KQC.exeC:\windows\system32\KQC.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GVA.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\windows\GVA.exeC:\windows\GVA.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ITOBKVA.exe.bat" "24⤵PID:1796
-
C:\windows\system\ITOBKVA.exeC:\windows\system\ITOBKVA.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGTL.exe.bat" "26⤵PID:3616
-
C:\windows\system\LGTL.exeC:\windows\system\LGTL.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJP.exe.bat" "28⤵PID:4396
-
C:\windows\SysWOW64\QJP.exeC:\windows\system32\QJP.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IRRODK.exe.bat" "30⤵PID:1568
-
C:\windows\IRRODK.exeC:\windows\IRRODK.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AUU.exe.bat" "32⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\windows\AUU.exeC:\windows\AUU.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZKONEFV.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:4688 -
C:\windows\SysWOW64\ZKONEFV.exeC:\windows\system32\ZKONEFV.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QTQ.exe.bat" "36⤵PID:4792
-
C:\windows\system\QTQ.exeC:\windows\system\QTQ.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UBW.exe.bat" "38⤵PID:2588
-
C:\windows\system\UBW.exeC:\windows\system\UBW.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IGUXAEV.exe.bat" "40⤵PID:3348
-
C:\windows\IGUXAEV.exeC:\windows\IGUXAEV.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HRTNAZR.exe.bat" "42⤵PID:4912
-
C:\windows\SysWOW64\HRTNAZR.exeC:\windows\system32\HRTNAZR.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WPQK.exe.bat" "44⤵PID:3616
-
C:\windows\WPQK.exeC:\windows\WPQK.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPYY.exe.bat" "46⤵PID:4844
-
C:\windows\SysWOW64\CPYY.exeC:\windows\system32\CPYY.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WKDHIK.exe.bat" "48⤵PID:1568
-
C:\windows\SysWOW64\WKDHIK.exeC:\windows\system32\WKDHIK.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OKFU.exe.bat" "50⤵PID:4672
-
C:\windows\system\OKFU.exeC:\windows\system\OKFU.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XYPMB.exe.bat" "52⤵PID:3912
-
C:\windows\system\XYPMB.exeC:\windows\system\XYPMB.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQSXCM.exe.bat" "54⤵PID:3116
-
C:\windows\SysWOW64\IQSXCM.exeC:\windows\system32\IQSXCM.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LEX.exe.bat" "56⤵PID:1916
-
C:\windows\system\LEX.exeC:\windows\system\LEX.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMZU.exe.bat" "58⤵PID:1576
-
C:\windows\SysWOW64\UMZU.exeC:\windows\system32\UMZU.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OZEDAR.exe.bat" "60⤵PID:3496
-
C:\windows\system\OZEDAR.exeC:\windows\system\OZEDAR.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUNH.exe.bat" "62⤵PID:2632
-
C:\windows\SysWOW64\EUNH.exeC:\windows\system32\EUNH.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NDPNWJF.exe.bat" "64⤵PID:2880
-
C:\windows\system\NDPNWJF.exeC:\windows\system\NDPNWJF.exe65⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IQUE.exe.bat" "66⤵PID:2932
-
C:\windows\SysWOW64\IQUE.exeC:\windows\system32\IQUE.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQCSP.exe.bat" "68⤵PID:4388
-
C:\windows\NQCSP.exeC:\windows\NQCSP.exe69⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MBSIP.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\windows\SysWOW64\MBSIP.exeC:\windows\system32\MBSIP.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TWCUAKZ.exe.bat" "72⤵PID:944
-
C:\windows\TWCUAKZ.exeC:\windows\TWCUAKZ.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FMIUM.exe.bat" "74⤵PID:2872
-
C:\windows\FMIUM.exeC:\windows\FMIUM.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PMK.exe.bat" "76⤵PID:3924
-
C:\windows\system\PMK.exeC:\windows\system\PMK.exe77⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNS.exe.bat" "78⤵PID:4616
-
C:\windows\UNS.exeC:\windows\UNS.exe79⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ENUSKIS.exe.bat" "80⤵PID:1664
-
C:\windows\system\ENUSKIS.exeC:\windows\system\ENUSKIS.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQYV.exe.bat" "82⤵PID:4044
-
C:\windows\system\EQYV.exeC:\windows\system\EQYV.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJBOY.exe.bat" "84⤵PID:624
-
C:\windows\SysWOW64\QJBOY.exeC:\windows\system32\QJBOY.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KWFYIFY.exe.bat" "86⤵PID:4944
-
C:\windows\system\KWFYIFY.exeC:\windows\system\KWFYIFY.exe87⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FRK.exe.bat" "88⤵PID:1716
-
C:\windows\SysWOW64\FRK.exeC:\windows\system32\FRK.exe89⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWVZ.exe.bat" "90⤵PID:2552
-
C:\windows\WWVZ.exeC:\windows\WWVZ.exe91⤵
- Checks computer location settings
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RSA.exe.bat" "92⤵PID:1172
-
C:\windows\RSA.exeC:\windows\RSA.exe93⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CKVBTJF.exe.bat" "94⤵PID:2664
-
C:\windows\system\CKVBTJF.exeC:\windows\system\CKVBTJF.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WYZL.exe.bat" "96⤵PID:2628
-
C:\windows\system\WYZL.exeC:\windows\system\WYZL.exe97⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "98⤵PID:4292
-
C:\windows\system\MOAKCEQ.exeC:\windows\system\MOAKCEQ.exe99⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREG.exe.bat" "100⤵PID:4044
-
C:\windows\SysWOW64\FREG.exeC:\windows\system32\FREG.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WWPYXQF.exe.bat" "102⤵PID:624
-
C:\windows\system\WWPYXQF.exeC:\windows\system\WWPYXQF.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FER.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\windows\SysWOW64\FER.exeC:\windows\system32\FER.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LFYRRQ.exe.bat" "106⤵PID:2120
-
C:\windows\LFYRRQ.exeC:\windows\LFYRRQ.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXBJSGY.exe.bat" "108⤵PID:1180
-
C:\windows\WXBJSGY.exeC:\windows\WXBJSGY.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FYD.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\windows\SysWOW64\FYD.exeC:\windows\system32\FYD.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LYLCM.exe.bat" "112⤵PID:1140
-
C:\windows\LYLCM.exeC:\windows\LYLCM.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TLPRX.exe.bat" "114⤵PID:4484
-
C:\windows\system\TLPRX.exeC:\windows\system\TLPRX.exe115⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XTS.exe.bat" "116⤵PID:616
-
C:\windows\SysWOW64\XTS.exeC:\windows\system32\XTS.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZWTG.exe.bat" "118⤵PID:1064
-
C:\windows\ZWTG.exeC:\windows\ZWTG.exe119⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IXVLO.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\windows\SysWOW64\IXVLO.exeC:\windows\system32\IXVLO.exe121⤵
- Executes dropped EXE
PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-