Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
770bd2b52da41659366ab5e9511b48e0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
770bd2b52da41659366ab5e9511b48e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
770bd2b52da41659366ab5e9511b48e0N.exe
-
Size
208KB
-
MD5
770bd2b52da41659366ab5e9511b48e0
-
SHA1
b137e24b2c60600df6646d62beb5a630e47877fe
-
SHA256
d41fa3f65ecbf634812ffe9cb29bf546ff50d1456b0e89380d4f575a30329b97
-
SHA512
d09a07343b42c06523db70524740e0ae32847143e01229564893c43a9e731ce9006e3421873031e882832c625933fba86da670b8a9b0b86a70c1866e2620122e
-
SSDEEP
3072:tFqNLS84DiRZ594WGpPqgCjP1u4eJNLGJLWnulSGi4NLthEjQT6:7KLyDYd4WGxqph01GJ8m+QEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation JBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LBXLSG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VIOYC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HTW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation KERS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation JDZIXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IOC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TRNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation KBDF.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation KXD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TWPNJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ECGCM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation YLXWEO.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HZJUCM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EGOCSDJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GCMBZK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SLP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TJDYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MAUQOI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LLXGW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZHSQS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XWIQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LXBFSK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EHR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ENPWLI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GSLIZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HOOPIV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VJN.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BKDXUHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WEBM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VRWOHWI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IZC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FBV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZQBH.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GCXAB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PIUZM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HMZLZE.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QPXQYZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZQL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EQB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FOC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FZTENY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OIM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation RGTCOQX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation OCKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation RUSST.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QHLIDB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EURRIO.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VLWU.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FRLEDOA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VFLU.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WVHQKSU.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PKZFEU.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BKT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HNTETQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ICENV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PVBL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation JZYLYXI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BFZLUUW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UXOWLVM.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ZFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TASYNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WKP.exe -
Executes dropped EXE 64 IoCs
pid Process 5036 EURRIO.exe 1664 DFUZR.exe 4828 IQYFWMY.exe 4320 VTUEBD.exe 5004 TRNH.exe 4592 KBDF.exe 2348 HZJUCM.exe 3488 UKFAH.exe 3940 QPXQYZ.exe 4012 AQZVBEY.exe 3564 MGGV.exe 4552 VGIIRU.exe 4128 UZLQZ.exe 3228 OMQHKA.exe 4632 UMXV.exe 1900 ENZAW.exe 4828 XFHLO.exe 3492 TLMIVKM.exe 4288 MOQE.exe 5000 LZB.exe 2960 RZJIS.exe 3928 KRQ.exe 4236 TASYNH.exe 3608 NSIJ.exe 3752 AQI.exe 3092 EGOCSDJ.exe 4288 RJSBXV.exe 4484 EUBZ.exe 1460 VERX.exe 4932 BFZLUUW.exe 3736 UXOWLVM.exe 4280 WVHQKSU.exe 3464 YTVKZ.exe 2268 LERJES.exe 1884 TJDYPQ.exe 936 XRK.exe 5104 BHRYF.exe 4800 MAUQOI.exe 2728 LLXGW.exe 3892 AGG.exe 448 ATGZ.exe 4644 MMJ.exe 2564 WKP.exe 4384 JMXLNO.exe 1292 AVZQ.exe 3092 TQDMEC.exe 1364 ZQL.exe 1288 QYNN.exe 5024 JBQ.exe 3848 HRKLREC.exe 3636 GCMBZK.exe 2492 ZFQ.exe 1976 VLWU.exe 2572 LBXLSG.exe 5116 FOC.exe 3288 NTPKNEB.exe 2540 AEXABHW.exe 3284 KCDVJ.exe 1916 FPHETP.exe 4868 GSLIZ.exe 4028 IQZ.exe 3892 ZQBH.exe 3708 BOGB.exe 1884 HOOPIV.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\OMQHKA.exe UZLQZ.exe File created C:\windows\SysWOW64\ZQL.exe TQDMEC.exe File created C:\windows\SysWOW64\HNTETQ.exe.bat ZHSQS.exe File opened for modification C:\windows\SysWOW64\QTYLKGV.exe FBV.exe File created C:\windows\SysWOW64\VGIIRU.exe.bat MGGV.exe File opened for modification C:\windows\SysWOW64\BAOLDC.exe GMJC.exe File opened for modification C:\windows\SysWOW64\YXKJNH.exe EHR.exe File opened for modification C:\windows\SysWOW64\UKFAH.exe HZJUCM.exe File opened for modification C:\windows\SysWOW64\BKDXUHZ.exe HOYNK.exe File created C:\windows\SysWOW64\EQB.exe RNSSR.exe File created C:\windows\SysWOW64\UIUDP.exe OIM.exe File created C:\windows\SysWOW64\TJDYPQ.exe.bat LERJES.exe File opened for modification C:\windows\SysWOW64\GCMBZK.exe HRKLREC.exe File created C:\windows\SysWOW64\LNJGDUL.exe FSKF.exe File created C:\windows\SysWOW64\PIO.exe CFKB.exe File created C:\windows\SysWOW64\JHMLVOT.exe ZHKGSR.exe File created C:\windows\SysWOW64\OMQHKA.exe.bat UZLQZ.exe File created C:\windows\SysWOW64\WVHQKSU.exe UXOWLVM.exe File created C:\windows\SysWOW64\FZTENY.exe VJN.exe File created C:\windows\SysWOW64\SHB.exe YLXWEO.exe File created C:\windows\SysWOW64\UMXV.exe OMQHKA.exe File created C:\windows\SysWOW64\LXBFSK.exe BAOLDC.exe File created C:\windows\SysWOW64\KERS.exe TWPNJ.exe File created C:\windows\SysWOW64\UHDS.exe GWUU.exe File created C:\windows\SysWOW64\QTYLKGV.exe FBV.exe File created C:\windows\SysWOW64\ADZKAA.exe.bat LII.exe File created C:\windows\SysWOW64\BAOLDC.exe.bat GMJC.exe File created C:\windows\SysWOW64\PVBL.exe.bat IZC.exe File created C:\windows\SysWOW64\JZYLYXI.exe.bat FJRD.exe File created C:\windows\SysWOW64\UMXV.exe.bat OMQHKA.exe File created C:\windows\SysWOW64\TJDYPQ.exe LERJES.exe File created C:\windows\SysWOW64\LXBFSK.exe.bat BAOLDC.exe File created C:\windows\SysWOW64\RUSST.exe KERS.exe File opened for modification C:\windows\SysWOW64\JHMLVOT.exe ZHKGSR.exe File opened for modification C:\windows\SysWOW64\VFLU.exe MXJ.exe File created C:\windows\SysWOW64\VFLU.exe.bat MXJ.exe File created C:\windows\SysWOW64\ENPWLI.exe ZNHJC.exe File opened for modification C:\windows\SysWOW64\PVBL.exe IZC.exe File opened for modification C:\windows\SysWOW64\ZNHJC.exe GSQXY.exe File created C:\windows\SysWOW64\TLMIVKM.exe.bat XFHLO.exe File created C:\windows\SysWOW64\EUBZ.exe RJSBXV.exe File created C:\windows\SysWOW64\UVJIW.exe KXD.exe File opened for modification C:\windows\SysWOW64\LNJGDUL.exe FSKF.exe File opened for modification C:\windows\SysWOW64\VRWOHWI.exe HTW.exe File created C:\windows\SysWOW64\VRWOHWI.exe.bat HTW.exe File created C:\windows\SysWOW64\SHB.exe.bat YLXWEO.exe File opened for modification C:\windows\SysWOW64\VDQ.exe YXKJNH.exe File created C:\windows\SysWOW64\KBDF.exe TRNH.exe File created C:\windows\SysWOW64\HNTETQ.exe ZHSQS.exe File created C:\windows\SysWOW64\UGA.exe.bat RTVAWVH.exe File created C:\windows\SysWOW64\EQB.exe.bat RNSSR.exe File opened for modification C:\windows\SysWOW64\ZHKGSR.exe UHDS.exe File created C:\windows\SysWOW64\AQZVBEY.exe.bat QPXQYZ.exe File opened for modification C:\windows\SysWOW64\AGG.exe LLXGW.exe File opened for modification C:\windows\SysWOW64\UGA.exe RTVAWVH.exe File opened for modification C:\windows\SysWOW64\PIO.exe CFKB.exe File created C:\windows\SysWOW64\UHDS.exe.bat GWUU.exe File opened for modification C:\windows\SysWOW64\IVWWY.exe ENPWLI.exe File opened for modification C:\windows\SysWOW64\AQZVBEY.exe QPXQYZ.exe File created C:\windows\SysWOW64\UXOWLVM.exe.bat BFZLUUW.exe File created C:\windows\SysWOW64\MMJ.exe.bat ATGZ.exe File created C:\windows\SysWOW64\JDZIXQ.exe PIUZM.exe File opened for modification C:\windows\SysWOW64\PVPG.exe LNJGDUL.exe File created C:\windows\SysWOW64\UGA.exe RTVAWVH.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\NPPF.exe YUGTYJ.exe File created C:\windows\LII.exe OCKJ.exe File opened for modification C:\windows\HZJUCM.exe KBDF.exe File created C:\windows\system\TQDMEC.exe.bat AVZQ.exe File created C:\windows\IQZ.exe GSLIZ.exe File created C:\windows\ATGZ.exe.bat AGG.exe File created C:\windows\system\HMZLZE.exe.bat OJVQU.exe File created C:\windows\FJRD.exe.bat KWMTBFF.exe File created C:\windows\system\TRNH.exe VTUEBD.exe File opened for modification C:\windows\ENZAW.exe UMXV.exe File created C:\windows\LLXGW.exe.bat MAUQOI.exe File opened for modification C:\windows\WEBM.exe UGA.exe File opened for modification C:\windows\system\ECGCM.exe JZYLYXI.exe File created C:\windows\PTAKG.exe.bat ADZKAA.exe File created C:\windows\VTUEBD.exe.bat IQYFWMY.exe File created C:\windows\ENZAW.exe UMXV.exe File created C:\windows\AQI.exe NSIJ.exe File created C:\windows\AEXABHW.exe.bat NTPKNEB.exe File created C:\windows\HOOPIV.exe BOGB.exe File created C:\windows\ZHSQS.exe.bat NPPF.exe File created C:\windows\system\KRQ.exe RZJIS.exe File created C:\windows\QYNN.exe.bat ZQL.exe File created C:\windows\LBXLSG.exe VLWU.exe File created C:\windows\system\IOC.exe JDZIXQ.exe File created C:\windows\QHLIDB.exe.bat BMB.exe File opened for modification C:\windows\system\EGOCSDJ.exe AQI.exe File created C:\windows\system\YTVKZ.exe.bat WVHQKSU.exe File opened for modification C:\windows\system\HGZHK.exe UVJIW.exe File opened for modification C:\windows\ZQBH.exe IQZ.exe File created C:\windows\system\MGGV.exe.bat AQZVBEY.exe File opened for modification C:\windows\system\TQDMEC.exe AVZQ.exe File created C:\windows\VLWU.exe ZFQ.exe File opened for modification C:\windows\SLP.exe IOC.exe File created C:\windows\FJRD.exe KWMTBFF.exe File created C:\windows\QYNN.exe ZQL.exe File created C:\windows\system\MBLEC.exe.bat TIWLLSY.exe File created C:\windows\system\EWH.exe.bat DSDU.exe File created C:\windows\NTPKNEB.exe FOC.exe File opened for modification C:\windows\system\YUGTYJ.exe REF.exe File opened for modification C:\windows\system\IZC.exe RUSST.exe File opened for modification C:\windows\TASYNH.exe KRQ.exe File created C:\windows\ATGZ.exe AGG.exe File opened for modification C:\windows\ATGZ.exe AGG.exe File opened for modification C:\windows\BKT.exe HOOPIV.exe File created C:\windows\RNSSR.exe.bat FXESETV.exe File created C:\windows\RWI.exe EMA.exe File created C:\windows\system\PIUZM.exe.bat JHMLVOT.exe File created C:\windows\system\EGOCSDJ.exe.bat AQI.exe File opened for modification C:\windows\system\RJSBXV.exe EGOCSDJ.exe File created C:\windows\VERX.exe EUBZ.exe File created C:\windows\system\ZFQ.exe GCMBZK.exe File created C:\windows\system\ECGCM.exe JZYLYXI.exe File opened for modification C:\windows\VLWU.exe ZFQ.exe File opened for modification C:\windows\system\BOGB.exe ZQBH.exe File created C:\windows\system\FLYPCKI.exe.bat LXBFSK.exe File created C:\windows\system\IOC.exe.bat JDZIXQ.exe File created C:\windows\ENZAW.exe.bat UMXV.exe File created C:\windows\BHRYF.exe.bat XRK.exe File created C:\windows\system\MBLEC.exe TIWLLSY.exe File opened for modification C:\windows\system\RGTCOQX.exe PIO.exe File created C:\windows\system\QPXQYZ.exe.bat UKFAH.exe File created C:\windows\ZQBH.exe IQZ.exe File created C:\windows\BKT.exe HOOPIV.exe File opened for modification C:\windows\IBZEFQ.exe EQB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4808 3556 WerFault.exe 82 4692 5036 WerFault.exe 90 3672 1664 WerFault.exe 96 4336 4828 WerFault.exe 103 392 4320 WerFault.exe 108 2660 5004 WerFault.exe 115 4716 4592 WerFault.exe 120 1652 2348 WerFault.exe 125 4988 3488 WerFault.exe 130 836 3940 WerFault.exe 136 4812 4012 WerFault.exe 141 1804 3564 WerFault.exe 146 464 4552 WerFault.exe 151 3912 4128 WerFault.exe 158 3288 3228 WerFault.exe 163 1720 4632 WerFault.exe 168 4124 1900 WerFault.exe 173 3948 4828 WerFault.exe 178 680 3492 WerFault.exe 183 4420 4288 WerFault.exe 188 3536 5000 WerFault.exe 193 1092 2960 WerFault.exe 198 1184 3928 WerFault.exe 203 2032 4236 WerFault.exe 208 4828 3608 WerFault.exe 213 3492 3752 WerFault.exe 218 4464 3092 WerFault.exe 223 2532 4288 WerFault.exe 228 4892 4484 WerFault.exe 233 1720 1460 WerFault.exe 238 4812 4932 WerFault.exe 243 1804 3736 WerFault.exe 247 3492 4280 WerFault.exe 253 2656 3464 WerFault.exe 258 2276 2268 WerFault.exe 263 3760 1884 WerFault.exe 268 1720 936 WerFault.exe 273 3604 5104 WerFault.exe 278 1896 4800 WerFault.exe 283 4948 2728 WerFault.exe 289 4128 3892 WerFault.exe 294 5024 448 WerFault.exe 299 1184 4644 WerFault.exe 305 3048 2564 WerFault.exe 310 4904 4384 WerFault.exe 315 1404 1292 WerFault.exe 320 4464 3092 WerFault.exe 325 1320 1364 WerFault.exe 330 3760 1288 WerFault.exe 335 2360 5024 WerFault.exe 340 3188 3848 WerFault.exe 345 1152 3636 WerFault.exe 349 3492 2492 WerFault.exe 355 2532 1976 WerFault.exe 360 5056 2572 WerFault.exe 365 5020 5116 WerFault.exe 370 4824 3288 WerFault.exe 375 2428 2540 WerFault.exe 380 2296 3284 WerFault.exe 385 3876 1916 WerFault.exe 390 2792 4868 WerFault.exe 395 3264 4028 WerFault.exe 400 4980 3892 WerFault.exe 405 2364 3708 WerFault.exe 410 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WKP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UHDS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IZC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADZKAA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GWUU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KWMTBFF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRKHU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KBDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FPHETP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICENV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LII.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BKT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LMQPVWX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TQDMEC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QYNN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VGIIRU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EGOCSDJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VDQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HNTETQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PVBL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RJSBXV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WVHQKSU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FXESETV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QTYLKGV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZQL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GSQXY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UZLQZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AGG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLMIVKM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GZHEK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YXKJNH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3556 770bd2b52da41659366ab5e9511b48e0N.exe 3556 770bd2b52da41659366ab5e9511b48e0N.exe 5036 EURRIO.exe 5036 EURRIO.exe 1664 DFUZR.exe 1664 DFUZR.exe 4828 IQYFWMY.exe 4828 IQYFWMY.exe 4320 VTUEBD.exe 4320 VTUEBD.exe 5004 TRNH.exe 5004 TRNH.exe 4592 KBDF.exe 4592 KBDF.exe 2348 HZJUCM.exe 2348 HZJUCM.exe 3488 UKFAH.exe 3488 UKFAH.exe 3940 QPXQYZ.exe 3940 QPXQYZ.exe 4012 AQZVBEY.exe 4012 AQZVBEY.exe 3564 MGGV.exe 3564 MGGV.exe 4552 VGIIRU.exe 4552 VGIIRU.exe 4128 UZLQZ.exe 4128 UZLQZ.exe 3228 OMQHKA.exe 3228 OMQHKA.exe 4632 UMXV.exe 4632 UMXV.exe 1900 ENZAW.exe 1900 ENZAW.exe 4828 XFHLO.exe 4828 XFHLO.exe 3492 TLMIVKM.exe 3492 TLMIVKM.exe 4288 MOQE.exe 4288 MOQE.exe 5000 LZB.exe 5000 LZB.exe 2960 RZJIS.exe 2960 RZJIS.exe 3928 KRQ.exe 3928 KRQ.exe 4236 TASYNH.exe 4236 TASYNH.exe 3608 NSIJ.exe 3608 NSIJ.exe 3752 AQI.exe 3752 AQI.exe 3092 EGOCSDJ.exe 3092 EGOCSDJ.exe 4288 RJSBXV.exe 4288 RJSBXV.exe 4484 EUBZ.exe 4484 EUBZ.exe 1460 VERX.exe 1460 VERX.exe 4932 BFZLUUW.exe 4932 BFZLUUW.exe 3736 UXOWLVM.exe 3736 UXOWLVM.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3556 770bd2b52da41659366ab5e9511b48e0N.exe 3556 770bd2b52da41659366ab5e9511b48e0N.exe 5036 EURRIO.exe 5036 EURRIO.exe 1664 DFUZR.exe 1664 DFUZR.exe 4828 IQYFWMY.exe 4828 IQYFWMY.exe 4320 VTUEBD.exe 4320 VTUEBD.exe 5004 TRNH.exe 5004 TRNH.exe 4592 KBDF.exe 4592 KBDF.exe 2348 HZJUCM.exe 2348 HZJUCM.exe 3488 UKFAH.exe 3488 UKFAH.exe 3940 QPXQYZ.exe 3940 QPXQYZ.exe 4012 AQZVBEY.exe 4012 AQZVBEY.exe 3564 MGGV.exe 3564 MGGV.exe 4552 VGIIRU.exe 4552 VGIIRU.exe 4128 UZLQZ.exe 4128 UZLQZ.exe 3228 OMQHKA.exe 3228 OMQHKA.exe 4632 UMXV.exe 4632 UMXV.exe 1900 ENZAW.exe 1900 ENZAW.exe 4828 XFHLO.exe 4828 XFHLO.exe 3492 TLMIVKM.exe 3492 TLMIVKM.exe 4288 MOQE.exe 4288 MOQE.exe 5000 LZB.exe 5000 LZB.exe 2960 RZJIS.exe 2960 RZJIS.exe 3928 KRQ.exe 3928 KRQ.exe 4236 TASYNH.exe 4236 TASYNH.exe 3608 NSIJ.exe 3608 NSIJ.exe 3752 AQI.exe 3752 AQI.exe 3092 EGOCSDJ.exe 3092 EGOCSDJ.exe 4288 RJSBXV.exe 4288 RJSBXV.exe 4484 EUBZ.exe 4484 EUBZ.exe 1460 VERX.exe 1460 VERX.exe 4932 BFZLUUW.exe 4932 BFZLUUW.exe 3736 UXOWLVM.exe 3736 UXOWLVM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3556 wrote to memory of 2412 3556 770bd2b52da41659366ab5e9511b48e0N.exe 86 PID 3556 wrote to memory of 2412 3556 770bd2b52da41659366ab5e9511b48e0N.exe 86 PID 3556 wrote to memory of 2412 3556 770bd2b52da41659366ab5e9511b48e0N.exe 86 PID 2412 wrote to memory of 5036 2412 cmd.exe 90 PID 2412 wrote to memory of 5036 2412 cmd.exe 90 PID 2412 wrote to memory of 5036 2412 cmd.exe 90 PID 5036 wrote to memory of 1920 5036 EURRIO.exe 92 PID 5036 wrote to memory of 1920 5036 EURRIO.exe 92 PID 5036 wrote to memory of 1920 5036 EURRIO.exe 92 PID 1920 wrote to memory of 1664 1920 cmd.exe 96 PID 1920 wrote to memory of 1664 1920 cmd.exe 96 PID 1920 wrote to memory of 1664 1920 cmd.exe 96 PID 1664 wrote to memory of 1180 1664 DFUZR.exe 99 PID 1664 wrote to memory of 1180 1664 DFUZR.exe 99 PID 1664 wrote to memory of 1180 1664 DFUZR.exe 99 PID 1180 wrote to memory of 4828 1180 cmd.exe 103 PID 1180 wrote to memory of 4828 1180 cmd.exe 103 PID 1180 wrote to memory of 4828 1180 cmd.exe 103 PID 4828 wrote to memory of 2428 4828 IQYFWMY.exe 104 PID 4828 wrote to memory of 2428 4828 IQYFWMY.exe 104 PID 4828 wrote to memory of 2428 4828 IQYFWMY.exe 104 PID 2428 wrote to memory of 4320 2428 cmd.exe 108 PID 2428 wrote to memory of 4320 2428 cmd.exe 108 PID 2428 wrote to memory of 4320 2428 cmd.exe 108 PID 4320 wrote to memory of 1080 4320 VTUEBD.exe 111 PID 4320 wrote to memory of 1080 4320 VTUEBD.exe 111 PID 4320 wrote to memory of 1080 4320 VTUEBD.exe 111 PID 1080 wrote to memory of 5004 1080 cmd.exe 115 PID 1080 wrote to memory of 5004 1080 cmd.exe 115 PID 1080 wrote to memory of 5004 1080 cmd.exe 115 PID 5004 wrote to memory of 2676 5004 TRNH.exe 116 PID 5004 wrote to memory of 2676 5004 TRNH.exe 116 PID 5004 wrote to memory of 2676 5004 TRNH.exe 116 PID 2676 wrote to memory of 4592 2676 cmd.exe 120 PID 2676 wrote to memory of 4592 2676 cmd.exe 120 PID 2676 wrote to memory of 4592 2676 cmd.exe 120 PID 4592 wrote to memory of 4820 4592 KBDF.exe 121 PID 4592 wrote to memory of 4820 4592 KBDF.exe 121 PID 4592 wrote to memory of 4820 4592 KBDF.exe 121 PID 4820 wrote to memory of 2348 4820 cmd.exe 125 PID 4820 wrote to memory of 2348 4820 cmd.exe 125 PID 4820 wrote to memory of 2348 4820 cmd.exe 125 PID 2348 wrote to memory of 1976 2348 HZJUCM.exe 126 PID 2348 wrote to memory of 1976 2348 HZJUCM.exe 126 PID 2348 wrote to memory of 1976 2348 HZJUCM.exe 126 PID 1976 wrote to memory of 3488 1976 cmd.exe 130 PID 1976 wrote to memory of 3488 1976 cmd.exe 130 PID 1976 wrote to memory of 3488 1976 cmd.exe 130 PID 3488 wrote to memory of 4040 3488 UKFAH.exe 132 PID 3488 wrote to memory of 4040 3488 UKFAH.exe 132 PID 3488 wrote to memory of 4040 3488 UKFAH.exe 132 PID 4040 wrote to memory of 3940 4040 cmd.exe 136 PID 4040 wrote to memory of 3940 4040 cmd.exe 136 PID 4040 wrote to memory of 3940 4040 cmd.exe 136 PID 3940 wrote to memory of 1100 3940 QPXQYZ.exe 137 PID 3940 wrote to memory of 1100 3940 QPXQYZ.exe 137 PID 3940 wrote to memory of 1100 3940 QPXQYZ.exe 137 PID 1100 wrote to memory of 4012 1100 cmd.exe 141 PID 1100 wrote to memory of 4012 1100 cmd.exe 141 PID 1100 wrote to memory of 4012 1100 cmd.exe 141 PID 4012 wrote to memory of 2076 4012 AQZVBEY.exe 142 PID 4012 wrote to memory of 2076 4012 AQZVBEY.exe 142 PID 4012 wrote to memory of 2076 4012 AQZVBEY.exe 142 PID 2076 wrote to memory of 3564 2076 cmd.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\770bd2b52da41659366ab5e9511b48e0N.exe"C:\Users\Admin\AppData\Local\Temp\770bd2b52da41659366ab5e9511b48e0N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EURRIO.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\windows\EURRIO.exeC:\windows\EURRIO.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DFUZR.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\windows\DFUZR.exeC:\windows\DFUZR.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IQYFWMY.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\windows\IQYFWMY.exeC:\windows\IQYFWMY.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VTUEBD.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\windows\VTUEBD.exeC:\windows\VTUEBD.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TRNH.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\windows\system\TRNH.exeC:\windows\system\TRNH.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KBDF.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\windows\SysWOW64\KBDF.exeC:\windows\system32\KBDF.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HZJUCM.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\windows\HZJUCM.exeC:\windows\HZJUCM.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKFAH.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\windows\SysWOW64\UKFAH.exeC:\windows\system32\UKFAH.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPXQYZ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\windows\system\QPXQYZ.exeC:\windows\system\QPXQYZ.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AQZVBEY.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\windows\SysWOW64\AQZVBEY.exeC:\windows\system32\AQZVBEY.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MGGV.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\windows\system\MGGV.exeC:\windows\system\MGGV.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGIIRU.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\windows\SysWOW64\VGIIRU.exeC:\windows\system32\VGIIRU.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UZLQZ.exe.bat" "26⤵
- System Location Discovery: System Language Discovery
PID:4820 -
C:\windows\UZLQZ.exeC:\windows\UZLQZ.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMQHKA.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\windows\SysWOW64\OMQHKA.exeC:\windows\system32\OMQHKA.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UMXV.exe.bat" "30⤵PID:2356
-
C:\windows\SysWOW64\UMXV.exeC:\windows\system32\UMXV.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ENZAW.exe.bat" "32⤵PID:5116
-
C:\windows\ENZAW.exeC:\windows\ENZAW.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XFHLO.exe.bat" "34⤵PID:3724
-
C:\windows\system\XFHLO.exeC:\windows\system\XFHLO.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TLMIVKM.exe.bat" "36⤵PID:4344
-
C:\windows\SysWOW64\TLMIVKM.exeC:\windows\system32\TLMIVKM.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOQE.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\windows\system\MOQE.exeC:\windows\system\MOQE.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "40⤵PID:5016
-
C:\windows\SysWOW64\LZB.exeC:\windows\system32\LZB.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RZJIS.exe.bat" "42⤵PID:2104
-
C:\windows\RZJIS.exeC:\windows\RZJIS.exe43⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KRQ.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\windows\system\KRQ.exeC:\windows\system\KRQ.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TASYNH.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\windows\TASYNH.exeC:\windows\TASYNH.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NSIJ.exe.bat" "48⤵PID:4124
-
C:\windows\system\NSIJ.exeC:\windows\system\NSIJ.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AQI.exe.bat" "50⤵PID:4100
-
C:\windows\AQI.exeC:\windows\AQI.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EGOCSDJ.exe.bat" "52⤵PID:860
-
C:\windows\system\EGOCSDJ.exeC:\windows\system\EGOCSDJ.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RJSBXV.exe.bat" "54⤵PID:1716
-
C:\windows\system\RJSBXV.exeC:\windows\system\RJSBXV.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUBZ.exe.bat" "56⤵PID:4588
-
C:\windows\SysWOW64\EUBZ.exeC:\windows\system32\EUBZ.exe57⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VERX.exe.bat" "58⤵PID:4708
-
C:\windows\VERX.exeC:\windows\VERX.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BFZLUUW.exe.bat" "60⤵PID:2360
-
C:\windows\BFZLUUW.exeC:\windows\BFZLUUW.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXOWLVM.exe.bat" "62⤵PID:2292
-
C:\windows\SysWOW64\UXOWLVM.exeC:\windows\system32\UXOWLVM.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVHQKSU.exe.bat" "64⤵
- System Location Discovery: System Language Discovery
PID:3328 -
C:\windows\SysWOW64\WVHQKSU.exeC:\windows\system32\WVHQKSU.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YTVKZ.exe.bat" "66⤵PID:116
-
C:\windows\system\YTVKZ.exeC:\windows\system\YTVKZ.exe67⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LERJES.exe.bat" "68⤵PID:3032
-
C:\windows\LERJES.exeC:\windows\LERJES.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJDYPQ.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\windows\SysWOW64\TJDYPQ.exeC:\windows\system32\TJDYPQ.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRK.exe.bat" "72⤵PID:3152
-
C:\windows\XRK.exeC:\windows\XRK.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BHRYF.exe.bat" "74⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\windows\BHRYF.exeC:\windows\BHRYF.exe75⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MAUQOI.exe.bat" "76⤵PID:1868
-
C:\windows\system\MAUQOI.exeC:\windows\system\MAUQOI.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LLXGW.exe.bat" "78⤵PID:4320
-
C:\windows\LLXGW.exeC:\windows\LLXGW.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AGG.exe.bat" "80⤵PID:1640
-
C:\windows\SysWOW64\AGG.exeC:\windows\system32\AGG.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ATGZ.exe.bat" "82⤵PID:4380
-
C:\windows\ATGZ.exeC:\windows\ATGZ.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMJ.exe.bat" "84⤵PID:1816
-
C:\windows\SysWOW64\MMJ.exeC:\windows\system32\MMJ.exe85⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WKP.exe.bat" "86⤵PID:2360
-
C:\windows\system\WKP.exeC:\windows\system\WKP.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JMXLNO.exe.bat" "88⤵PID:3416
-
C:\windows\system\JMXLNO.exeC:\windows\system\JMXLNO.exe89⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AVZQ.exe.bat" "90⤵PID:2296
-
C:\windows\SysWOW64\AVZQ.exeC:\windows\system32\AVZQ.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TQDMEC.exe.bat" "92⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\windows\system\TQDMEC.exeC:\windows\system\TQDMEC.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZQL.exe.bat" "94⤵PID:4028
-
C:\windows\SysWOW64\ZQL.exeC:\windows\system32\ZQL.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QYNN.exe.bat" "96⤵PID:4588
-
C:\windows\QYNN.exeC:\windows\QYNN.exe97⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JBQ.exe.bat" "98⤵PID:3680
-
C:\windows\system\JBQ.exeC:\windows\system\JBQ.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HRKLREC.exe.bat" "100⤵PID:1904
-
C:\windows\HRKLREC.exeC:\windows\HRKLREC.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GCMBZK.exe.bat" "102⤵PID:2428
-
C:\windows\SysWOW64\GCMBZK.exeC:\windows\system32\GCMBZK.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZFQ.exe.bat" "104⤵PID:2412
-
C:\windows\system\ZFQ.exeC:\windows\system\ZFQ.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLWU.exe.bat" "106⤵PID:4800
-
C:\windows\VLWU.exeC:\windows\VLWU.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LBXLSG.exe.bat" "108⤵PID:2792
-
C:\windows\LBXLSG.exeC:\windows\LBXLSG.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "110⤵PID:828
-
C:\windows\FOC.exeC:\windows\FOC.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NTPKNEB.exe.bat" "112⤵PID:4792
-
C:\windows\NTPKNEB.exeC:\windows\NTPKNEB.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AEXABHW.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:3488 -
C:\windows\AEXABHW.exeC:\windows\AEXABHW.exe115⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KCDVJ.exe.bat" "116⤵PID:3564
-
C:\windows\system\KCDVJ.exeC:\windows\system\KCDVJ.exe117⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPHETP.exe.bat" "118⤵PID:1748
-
C:\windows\FPHETP.exeC:\windows\FPHETP.exe119⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GSLIZ.exe.bat" "120⤵PID:1084
-
C:\windows\system\GSLIZ.exeC:\windows\system\GSLIZ.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-