Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe
-
Size
208KB
-
MD5
24e1696914de486c46ce4ad22fee3b7c
-
SHA1
fe9acc2315aafa9ee22c990d140f62d2458c5a47
-
SHA256
d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d
-
SHA512
544a42b2f979740d5de345e9f02e1e4412637562f61d6a2d76498efc6ff2a16760280234c9dcf5e57a04d76035c7a2b8646e4414c6cd67955b733c76b0df49fb
-
SSDEEP
3072:KaUQG7WJg9pda0sbpAmWTgofalXgzFiM0XTsUnIuSAdt2I4NLthEjQT6:KXQ4fmOxWgzFidlSAdt2IQEj
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LZCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation EOVI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NXFVFJL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CGD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation VKTL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation REEQFLJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CFCRCWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation VYHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KWQO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RILXZP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TTH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RRL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PXXHW.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MFEWFC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WKRRXE.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YLJDI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DPS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FHBD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation REUQK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MGQQIJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ANT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DIX.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WDAIJVO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RNCPL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SWXXIHO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SCGDL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XJAODW.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KVJSM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XYHPO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YRBRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LJVPFXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SNACP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MFXA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XZL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GZOVQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TGSKKGH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation BSQI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TIMN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation JCRJNKF.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MFODH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MNSD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MLGJP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CEHNOYX.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation EAEOC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation QFYVUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CAJHZUK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TQDZ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IYIGE.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KWDKS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PGDEHCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FIX.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HRS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RXG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XFUETCH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation VWGY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IGEWCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NUS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KADJA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SRYB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DZTPD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XEJVMU.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HFMZXOH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation BCOBLRU.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HCR.exe -
Executes dropped EXE 64 IoCs
pid Process 3336 AQZVBEY.exe 2192 KNFP.exe 4104 MLGJP.exe 1928 IREGELR.exe 3316 REOYMIE.exe 208 FHSF.exe 1404 HFMZXOH.exe 4092 BSQI.exe 1180 FIX.exe 3516 CGD.exe 4892 YLJDI.exe 4244 YRBRJ.exe 4772 NUS.exe 5040 KRQ.exe 4532 VKTL.exe 4200 QFYVUQ.exe 4712 MNSD.exe 3300 BICPQCB.exe 4900 VWGY.exe 4244 LMHQZXF.exe 4380 BCOBLRU.exe 3708 EXTK.exe 1052 IFAKHB.exe 2888 RNCPL.exe 4104 XNJDU.exe 2688 IGEWCQ.exe 1380 FEK.exe 2960 QWNL.exe 2260 PAMD.exe 1652 OKVE.exe 3964 SABE.exe 3544 KADJA.exe 3412 CEHNOYX.exe 3116 KWQO.exe 5040 EMJ.exe 3112 VULO.exe 4932 FHVGTTS.exe 3888 LVVOY.exe 4276 SNVIM.exe 2036 COXVPF.exe 4380 SLEYBR.exe 2440 THITG.exe 1956 EZLMPW.exe 316 IPR.exe 1372 TIMN.exe 4256 OVRWLW.exe 2912 UVZKUQ.exe 2956 QBF.exe 3092 SRYB.exe 1668 BEITY.exe 4872 YKORFD.exe 412 JCRJNKF.exe 2080 EPWT.exe 5056 MVOHZ.exe 2896 KVWVI.exe 1584 WLKVU.exe 1828 QZHEEK.exe 1596 FENBLT.exe 1700 HRS.exe 3952 PITKUH.exe 4372 JVY.exe 2768 KYBPK.exe 3684 OGIX.exe 4712 SWXXIHO.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\KWDKS.exe XLVTEAV.exe File created C:\windows\SysWOW64\SIGSNW.exe SCGDL.exe File created C:\windows\SysWOW64\KWQO.exe CEHNOYX.exe File created C:\windows\SysWOW64\KWQO.exe.bat CEHNOYX.exe File created C:\windows\SysWOW64\XLVTEAV.exe DYQCT.exe File created C:\windows\SysWOW64\ALCZTEF.exe.bat AFKLRRC.exe File created C:\windows\SysWOW64\REOYMIE.exe IREGELR.exe File opened for modification C:\windows\SysWOW64\YRBRJ.exe YLJDI.exe File created C:\windows\SysWOW64\HYAGHEY.exe LSU.exe File created C:\windows\SysWOW64\BVV.exe JADMO.exe File created C:\windows\SysWOW64\AQZVBEY.exe.bat d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe File opened for modification C:\windows\SysWOW64\KWPDHA.exe ZEMKGSR.exe File created C:\windows\SysWOW64\CGD.exe.bat FIX.exe File created C:\windows\SysWOW64\THITG.exe.bat SLEYBR.exe File opened for modification C:\windows\SysWOW64\KPDVXZ.exe EOVI.exe File created C:\windows\SysWOW64\XFUETCH.exe REUQK.exe File opened for modification C:\windows\SysWOW64\FEK.exe IGEWCQ.exe File opened for modification C:\windows\SysWOW64\REEQFLJ.exe RYMCDG.exe File created C:\windows\SysWOW64\WRK.exe SBEYTQ.exe File created C:\windows\SysWOW64\YBKXS.exe XEJVMU.exe File created C:\windows\SysWOW64\NXFVFJL.exe PXXHW.exe File opened for modification C:\windows\SysWOW64\MVOHZ.exe EPWT.exe File created C:\windows\SysWOW64\MDX.exe.bat MXFRJAW.exe File opened for modification C:\windows\SysWOW64\XLVTEAV.exe DYQCT.exe File created C:\windows\SysWOW64\RXG.exe.bat WCBHQB.exe File created C:\windows\SysWOW64\JCRJNKF.exe YKORFD.exe File opened for modification C:\windows\SysWOW64\FAOLOL.exe ORMFL.exe File opened for modification C:\windows\SysWOW64\LHH.exe TGFRG.exe File opened for modification C:\windows\SysWOW64\SIGSNW.exe SCGDL.exe File opened for modification C:\windows\SysWOW64\XDYMJLB.exe GCWHGF.exe File opened for modification C:\windows\SysWOW64\HFMZXOH.exe FHSF.exe File created C:\windows\SysWOW64\EVB.exe OKD.exe File created C:\windows\SysWOW64\SABE.exe OKVE.exe File created C:\windows\SysWOW64\JNZ.exe PZUVQI.exe File opened for modification C:\windows\SysWOW64\VWGY.exe BICPQCB.exe File opened for modification C:\windows\SysWOW64\QZHEEK.exe WLKVU.exe File opened for modification C:\windows\SysWOW64\ZMNTYTQ.exe LHH.exe File opened for modification C:\windows\SysWOW64\REOYMIE.exe IREGELR.exe File created C:\windows\SysWOW64\MDX.exe MXFRJAW.exe File created C:\windows\SysWOW64\MVOHZ.exe.bat EPWT.exe File created C:\windows\SysWOW64\FAOLOL.exe.bat ORMFL.exe File opened for modification C:\windows\SysWOW64\XNJDU.exe RNCPL.exe File created C:\windows\SysWOW64\LDK.exe SIGSNW.exe File opened for modification C:\windows\SysWOW64\YBKXS.exe XEJVMU.exe File opened for modification C:\windows\SysWOW64\KYBPK.exe JVY.exe File opened for modification C:\windows\SysWOW64\KWQO.exe CEHNOYX.exe File opened for modification C:\windows\SysWOW64\THITG.exe SLEYBR.exe File created C:\windows\SysWOW64\XDYMJLB.exe GCWHGF.exe File created C:\windows\SysWOW64\HYAGHEY.exe.bat LSU.exe File opened for modification C:\windows\SysWOW64\TXOXQVE.exe HHIX.exe File created C:\windows\SysWOW64\ALCZTEF.exe AFKLRRC.exe File created C:\windows\SysWOW64\SNVIM.exe.bat LVVOY.exe File created C:\windows\SysWOW64\LHH.exe.bat TGFRG.exe File opened for modification C:\windows\SysWOW64\ZDZCZUW.exe FQUTPU.exe File created C:\windows\SysWOW64\SABE.exe.bat OKVE.exe File created C:\windows\SysWOW64\WLKVU.exe.bat KVWVI.exe File opened for modification C:\windows\SysWOW64\RXG.exe WCBHQB.exe File created C:\windows\SysWOW64\HFMZXOH.exe FHSF.exe File created C:\windows\SysWOW64\OGIX.exe.bat KYBPK.exe File created C:\windows\SysWOW64\APAGK.exe.bat LUICROZ.exe File opened for modification C:\windows\SysWOW64\JNZ.exe PZUVQI.exe File created C:\windows\SysWOW64\IPR.exe.bat EZLMPW.exe File opened for modification C:\windows\SysWOW64\XEJVMU.exe FDH.exe File opened for modification C:\windows\SysWOW64\HYAGHEY.exe LSU.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\NUS.exe YRBRJ.exe File created C:\windows\VPUV.exe.bat DPS.exe File created C:\windows\ZSNAAG.exe EFIR.exe File opened for modification C:\windows\system\FQUTPU.exe ZPN.exe File opened for modification C:\windows\system\TQDZ.exe HYAGHEY.exe File created C:\windows\VYHJ.exe.bat ALCZTEF.exe File created C:\windows\XYHPO.exe.bat MFEWFC.exe File opened for modification C:\windows\WDAIJVO.exe WQATHQ.exe File created C:\windows\QMZJO.exe APAGK.exe File created C:\windows\system\PZUVQI.exe.bat MEPM.exe File created C:\windows\system\GCWHGF.exe ICO.exe File opened for modification C:\windows\TGFRG.exe RILXZP.exe File opened for modification C:\windows\system\HKNJF.exe OHWXJ.exe File created C:\windows\system\VVWQ.exe PUOCLYJ.exe File opened for modification C:\windows\MPZFBI.exe REJ.exe File opened for modification C:\windows\system\EMJ.exe KWQO.exe File created C:\windows\TIMN.exe IPR.exe File opened for modification C:\windows\UVZKUQ.exe OVRWLW.exe File created C:\windows\ZVNVQ.exe SDETC.exe File opened for modification C:\windows\system\GCWHGF.exe ICO.exe File created C:\windows\DIX.exe.bat RSRNYN.exe File created C:\windows\HCR.exe SHICT.exe File created C:\windows\system\KVWVI.exe.bat MVOHZ.exe File opened for modification C:\windows\SWXXIHO.exe OGIX.exe File opened for modification C:\windows\ORMFL.exe XBNDZ.exe File created C:\windows\system\SHICT.exe BYG.exe File opened for modification C:\windows\SUUZ.exe HCR.exe File opened for modification C:\windows\system\FUVL.exe KHQ.exe File opened for modification C:\windows\system\KYGNRJ.exe TYEI.exe File created C:\windows\system\QIZ.exe SNACP.exe File created C:\windows\IFAKHB.exe EXTK.exe File opened for modification C:\windows\system\QWNL.exe FEK.exe File created C:\windows\system\LVVOY.exe.bat FHVGTTS.exe File created C:\windows\QLXHRQB.exe.bat TGSKKGH.exe File created C:\windows\system\OKVE.exe.bat PAMD.exe File created C:\windows\EOVI.exe EJV.exe File created C:\windows\FIX.exe.bat BSQI.exe File created C:\windows\TYEI.exe NXFVFJL.exe File created C:\windows\DIX.exe RSRNYN.exe File opened for modification C:\windows\KVJSM.exe EVB.exe File created C:\windows\system\FHVGTTS.exe VULO.exe File created C:\windows\IYIGE.exe NLDW.exe File created C:\windows\system\SLEYBR.exe COXVPF.exe File opened for modification C:\windows\system\KSDAFHH.exe VPUV.exe File opened for modification C:\windows\DMWUINS.exe XJAODW.exe File created C:\windows\system\MFEWFC.exe.bat CFCRCWJ.exe File created C:\windows\FIX.exe BSQI.exe File created C:\windows\system\EMJ.exe KWQO.exe File created C:\windows\SWXXIHO.exe.bat OGIX.exe File opened for modification C:\windows\VULO.exe EMJ.exe File created C:\windows\DMWUINS.exe.bat XJAODW.exe File opened for modification C:\windows\ICO.exe GEVRQ.exe File created C:\windows\system\HHIX.exe DZTOZSU.exe File opened for modification C:\windows\QMZJO.exe APAGK.exe File created C:\windows\system\UYGB.exe MFXA.exe File created C:\windows\system\RILXZP.exe.bat IVB.exe File opened for modification C:\windows\system\EAEOC.exe JNZ.exe File opened for modification C:\windows\IFAKHB.exe EXTK.exe File created C:\windows\system\ANT.exe FAOLOL.exe File created C:\windows\ORMFL.exe.bat XBNDZ.exe File created C:\windows\system\DUBAQF.exe.bat MGQQIJ.exe File created C:\windows\SDETC.exe MDX.exe File created C:\windows\SDETC.exe.bat MDX.exe File created C:\windows\system\TTH.exe TQDZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 1664 4560 WerFault.exe 84 4856 3336 WerFault.exe 92 4300 2192 WerFault.exe 98 3748 4104 WerFault.exe 104 2244 1928 WerFault.exe 109 632 3316 WerFault.exe 114 4980 208 WerFault.exe 119 1484 1404 WerFault.exe 123 2868 4092 WerFault.exe 129 4760 1180 WerFault.exe 134 2864 3516 WerFault.exe 139 4664 4892 WerFault.exe 144 1248 4244 WerFault.exe 149 2036 4772 WerFault.exe 154 4376 5040 WerFault.exe 159 4080 4532 WerFault.exe 166 4424 4200 WerFault.exe 173 3572 4712 WerFault.exe 178 1488 3300 WerFault.exe 183 3224 4900 WerFault.exe 188 1564 4244 WerFault.exe 194 4376 4380 WerFault.exe 199 1404 3708 WerFault.exe 204 1828 1052 WerFault.exe 209 4652 2888 WerFault.exe 215 1216 4104 WerFault.exe 221 2980 2688 WerFault.exe 226 2408 1380 WerFault.exe 231 3092 2960 WerFault.exe 236 4896 2372 WerFault.exe 240 3288 2260 WerFault.exe 246 4348 1652 WerFault.exe 251 1600 3964 WerFault.exe 256 3148 3544 WerFault.exe 261 3736 3412 WerFault.exe 266 4512 3116 WerFault.exe 271 1624 5040 WerFault.exe 276 3288 3112 WerFault.exe 281 4348 4932 WerFault.exe 286 2904 3888 WerFault.exe 291 3004 4276 WerFault.exe 296 5088 2036 WerFault.exe 302 3116 4380 WerFault.exe 307 1192 2440 WerFault.exe 312 1636 1956 WerFault.exe 317 2524 316 WerFault.exe 321 2080 1372 WerFault.exe 327 3968 4256 WerFault.exe 332 3544 2912 WerFault.exe 337 2488 2956 WerFault.exe 342 8 3092 WerFault.exe 347 4292 1668 WerFault.exe 352 3724 4872 WerFault.exe 357 2808 412 WerFault.exe 362 3968 2080 WerFault.exe 366 1904 5056 WerFault.exe 372 4876 2896 WerFault.exe 377 4532 1584 WerFault.exe 382 3376 1828 WerFault.exe 387 2612 1596 WerFault.exe 393 4296 1700 WerFault.exe 398 3968 3952 WerFault.exe 403 3820 4372 WerFault.exe 408 3304 2768 WerFault.exe 413 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BSQI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MNSD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RRL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RNCPL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MVOHZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LMUFD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SDETC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JNZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AQZVBEY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EZLMPW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MPZFBI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NXFVFJL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TQDZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CFCRCWJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WRK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XBNDZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HYAGHEY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VPUV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKNJF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TTH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XNJDU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRYB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EOVI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZDZCZUW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGEWCQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEPM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 3336 AQZVBEY.exe 3336 AQZVBEY.exe 2192 KNFP.exe 2192 KNFP.exe 4104 MLGJP.exe 4104 MLGJP.exe 1928 IREGELR.exe 1928 IREGELR.exe 3316 REOYMIE.exe 3316 REOYMIE.exe 208 FHSF.exe 208 FHSF.exe 1404 HFMZXOH.exe 1404 HFMZXOH.exe 4092 BSQI.exe 4092 BSQI.exe 1180 FIX.exe 1180 FIX.exe 3516 CGD.exe 3516 CGD.exe 4892 YLJDI.exe 4892 YLJDI.exe 4244 YRBRJ.exe 4244 YRBRJ.exe 4772 NUS.exe 4772 NUS.exe 5040 KRQ.exe 5040 KRQ.exe 4532 VKTL.exe 4532 VKTL.exe 4200 QFYVUQ.exe 4200 QFYVUQ.exe 4712 MNSD.exe 4712 MNSD.exe 3300 BICPQCB.exe 3300 BICPQCB.exe 4900 VWGY.exe 4900 VWGY.exe 4244 LMHQZXF.exe 4244 LMHQZXF.exe 4380 BCOBLRU.exe 4380 BCOBLRU.exe 3708 EXTK.exe 3708 EXTK.exe 1052 IFAKHB.exe 1052 IFAKHB.exe 2888 RNCPL.exe 2888 RNCPL.exe 4104 XNJDU.exe 4104 XNJDU.exe 2688 IGEWCQ.exe 2688 IGEWCQ.exe 1380 FEK.exe 1380 FEK.exe 2372 BPIEA.exe 2372 BPIEA.exe 2260 PAMD.exe 2260 PAMD.exe 1652 OKVE.exe 1652 OKVE.exe 3964 SABE.exe 3964 SABE.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 3336 AQZVBEY.exe 3336 AQZVBEY.exe 2192 KNFP.exe 2192 KNFP.exe 4104 MLGJP.exe 4104 MLGJP.exe 1928 IREGELR.exe 1928 IREGELR.exe 3316 REOYMIE.exe 3316 REOYMIE.exe 208 FHSF.exe 208 FHSF.exe 1404 HFMZXOH.exe 1404 HFMZXOH.exe 4092 BSQI.exe 4092 BSQI.exe 1180 FIX.exe 1180 FIX.exe 3516 CGD.exe 3516 CGD.exe 4892 YLJDI.exe 4892 YLJDI.exe 4244 YRBRJ.exe 4244 YRBRJ.exe 4772 NUS.exe 4772 NUS.exe 5040 KRQ.exe 5040 KRQ.exe 4532 VKTL.exe 4532 VKTL.exe 4200 QFYVUQ.exe 4200 QFYVUQ.exe 4712 MNSD.exe 4712 MNSD.exe 3300 BICPQCB.exe 3300 BICPQCB.exe 4900 VWGY.exe 4900 VWGY.exe 4244 LMHQZXF.exe 4244 LMHQZXF.exe 4380 BCOBLRU.exe 4380 BCOBLRU.exe 3708 EXTK.exe 3708 EXTK.exe 1052 IFAKHB.exe 1052 IFAKHB.exe 2888 RNCPL.exe 2888 RNCPL.exe 4104 XNJDU.exe 4104 XNJDU.exe 2688 IGEWCQ.exe 2688 IGEWCQ.exe 1380 FEK.exe 1380 FEK.exe 2372 BPIEA.exe 2372 BPIEA.exe 2260 PAMD.exe 2260 PAMD.exe 1652 OKVE.exe 1652 OKVE.exe 3964 SABE.exe 3964 SABE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4560 wrote to memory of 2316 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 88 PID 4560 wrote to memory of 2316 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 88 PID 4560 wrote to memory of 2316 4560 d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe 88 PID 2316 wrote to memory of 3336 2316 cmd.exe 92 PID 2316 wrote to memory of 3336 2316 cmd.exe 92 PID 2316 wrote to memory of 3336 2316 cmd.exe 92 PID 3336 wrote to memory of 1572 3336 AQZVBEY.exe 94 PID 3336 wrote to memory of 1572 3336 AQZVBEY.exe 94 PID 3336 wrote to memory of 1572 3336 AQZVBEY.exe 94 PID 1572 wrote to memory of 2192 1572 cmd.exe 98 PID 1572 wrote to memory of 2192 1572 cmd.exe 98 PID 1572 wrote to memory of 2192 1572 cmd.exe 98 PID 2192 wrote to memory of 1428 2192 KNFP.exe 100 PID 2192 wrote to memory of 1428 2192 KNFP.exe 100 PID 2192 wrote to memory of 1428 2192 KNFP.exe 100 PID 1428 wrote to memory of 4104 1428 cmd.exe 104 PID 1428 wrote to memory of 4104 1428 cmd.exe 104 PID 1428 wrote to memory of 4104 1428 cmd.exe 104 PID 4104 wrote to memory of 1804 4104 MLGJP.exe 105 PID 4104 wrote to memory of 1804 4104 MLGJP.exe 105 PID 4104 wrote to memory of 1804 4104 MLGJP.exe 105 PID 1804 wrote to memory of 1928 1804 cmd.exe 109 PID 1804 wrote to memory of 1928 1804 cmd.exe 109 PID 1804 wrote to memory of 1928 1804 cmd.exe 109 PID 1928 wrote to memory of 2052 1928 IREGELR.exe 110 PID 1928 wrote to memory of 2052 1928 IREGELR.exe 110 PID 1928 wrote to memory of 2052 1928 IREGELR.exe 110 PID 2052 wrote to memory of 3316 2052 cmd.exe 114 PID 2052 wrote to memory of 3316 2052 cmd.exe 114 PID 2052 wrote to memory of 3316 2052 cmd.exe 114 PID 3316 wrote to memory of 5056 3316 REOYMIE.exe 115 PID 3316 wrote to memory of 5056 3316 REOYMIE.exe 115 PID 3316 wrote to memory of 5056 3316 REOYMIE.exe 115 PID 5056 wrote to memory of 208 5056 cmd.exe 119 PID 5056 wrote to memory of 208 5056 cmd.exe 119 PID 5056 wrote to memory of 208 5056 cmd.exe 119 PID 208 wrote to memory of 3008 208 FHSF.exe 120 PID 208 wrote to memory of 3008 208 FHSF.exe 120 PID 208 wrote to memory of 3008 208 FHSF.exe 120 PID 3008 wrote to memory of 1404 3008 cmd.exe 123 PID 3008 wrote to memory of 1404 3008 cmd.exe 123 PID 3008 wrote to memory of 1404 3008 cmd.exe 123 PID 1404 wrote to memory of 5088 1404 HFMZXOH.exe 125 PID 1404 wrote to memory of 5088 1404 HFMZXOH.exe 125 PID 1404 wrote to memory of 5088 1404 HFMZXOH.exe 125 PID 5088 wrote to memory of 4092 5088 cmd.exe 129 PID 5088 wrote to memory of 4092 5088 cmd.exe 129 PID 5088 wrote to memory of 4092 5088 cmd.exe 129 PID 4092 wrote to memory of 1876 4092 BSQI.exe 130 PID 4092 wrote to memory of 1876 4092 BSQI.exe 130 PID 4092 wrote to memory of 1876 4092 BSQI.exe 130 PID 1876 wrote to memory of 1180 1876 cmd.exe 134 PID 1876 wrote to memory of 1180 1876 cmd.exe 134 PID 1876 wrote to memory of 1180 1876 cmd.exe 134 PID 1180 wrote to memory of 4860 1180 FIX.exe 135 PID 1180 wrote to memory of 4860 1180 FIX.exe 135 PID 1180 wrote to memory of 4860 1180 FIX.exe 135 PID 4860 wrote to memory of 3516 4860 cmd.exe 139 PID 4860 wrote to memory of 3516 4860 cmd.exe 139 PID 4860 wrote to memory of 3516 4860 cmd.exe 139 PID 3516 wrote to memory of 3920 3516 CGD.exe 140 PID 3516 wrote to memory of 3920 3516 CGD.exe 140 PID 3516 wrote to memory of 3920 3516 CGD.exe 140 PID 3920 wrote to memory of 4892 3920 cmd.exe 144
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe"C:\Users\Admin\AppData\Local\Temp\d16eadede0ef46e48d91f8bd19a7e7eb737512fd53aad137c58cbbfb093d705d.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AQZVBEY.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\windows\SysWOW64\AQZVBEY.exeC:\windows\system32\AQZVBEY.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KNFP.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\windows\KNFP.exeC:\windows\KNFP.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MLGJP.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\windows\system\MLGJP.exeC:\windows\system\MLGJP.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IREGELR.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\windows\system\IREGELR.exeC:\windows\system\IREGELR.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\REOYMIE.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\windows\SysWOW64\REOYMIE.exeC:\windows\system32\REOYMIE.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FHSF.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\windows\SysWOW64\FHSF.exeC:\windows\system32\FHSF.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFMZXOH.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\windows\SysWOW64\HFMZXOH.exeC:\windows\system32\HFMZXOH.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BSQI.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\windows\BSQI.exeC:\windows\BSQI.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FIX.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\windows\FIX.exeC:\windows\FIX.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CGD.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\windows\SysWOW64\CGD.exeC:\windows\system32\CGD.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLJDI.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\windows\SysWOW64\YLJDI.exeC:\windows\system32\YLJDI.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YRBRJ.exe.bat" "24⤵PID:2684
-
C:\windows\SysWOW64\YRBRJ.exeC:\windows\system32\YRBRJ.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NUS.exe.bat" "26⤵PID:1976
-
C:\windows\system\NUS.exeC:\windows\system\NUS.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KRQ.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:5056 -
C:\windows\system\KRQ.exeC:\windows\system\KRQ.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VKTL.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\windows\VKTL.exeC:\windows\VKTL.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QFYVUQ.exe.bat" "32⤵PID:4876
-
C:\windows\QFYVUQ.exeC:\windows\QFYVUQ.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\windows\MNSD.exeC:\windows\MNSD.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "36⤵PID:2228
-
C:\windows\SysWOW64\BICPQCB.exeC:\windows\system32\BICPQCB.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWGY.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\windows\SysWOW64\VWGY.exeC:\windows\system32\VWGY.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMHQZXF.exe.bat" "40⤵PID:3808
-
C:\windows\SysWOW64\LMHQZXF.exeC:\windows\system32\LMHQZXF.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BCOBLRU.exe.bat" "42⤵PID:3436
-
C:\windows\system\BCOBLRU.exeC:\windows\system\BCOBLRU.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "44⤵PID:1108
-
C:\windows\EXTK.exeC:\windows\EXTK.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IFAKHB.exe.bat" "46⤵PID:464
-
C:\windows\IFAKHB.exeC:\windows\IFAKHB.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNCPL.exe.bat" "48⤵PID:1668
-
C:\windows\SysWOW64\RNCPL.exeC:\windows\system32\RNCPL.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XNJDU.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\windows\SysWOW64\XNJDU.exeC:\windows\system32\XNJDU.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IGEWCQ.exe.bat" "52⤵PID:1804
-
C:\windows\system\IGEWCQ.exeC:\windows\system\IGEWCQ.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FEK.exe.bat" "54⤵PID:976
-
C:\windows\SysWOW64\FEK.exeC:\windows\system32\FEK.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QWNL.exe.bat" "56⤵PID:1656
-
C:\windows\system\QWNL.exeC:\windows\system\QWNL.exe57⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BPIEA.exe.bat" "58⤵PID:1408
-
C:\windows\SysWOW64\BPIEA.exeC:\windows\system32\BPIEA.exe59⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PAMD.exe.bat" "60⤵PID:3272
-
C:\windows\system\PAMD.exeC:\windows\system\PAMD.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OKVE.exe.bat" "62⤵PID:684
-
C:\windows\system\OKVE.exeC:\windows\system\OKVE.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SABE.exe.bat" "64⤵PID:1036
-
C:\windows\SysWOW64\SABE.exeC:\windows\system32\SABE.exe65⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KADJA.exe.bat" "66⤵PID:2808
-
C:\windows\KADJA.exeC:\windows\KADJA.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CEHNOYX.exe.bat" "68⤵
- System Location Discovery: System Language Discovery
PID:888 -
C:\windows\CEHNOYX.exeC:\windows\CEHNOYX.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KWQO.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:4840 -
C:\windows\SysWOW64\KWQO.exeC:\windows\system32\KWQO.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EMJ.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\windows\system\EMJ.exeC:\windows\system\EMJ.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VULO.exe.bat" "74⤵PID:4352
-
C:\windows\VULO.exeC:\windows\VULO.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FHVGTTS.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\windows\system\FHVGTTS.exeC:\windows\system\FHVGTTS.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LVVOY.exe.bat" "78⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\windows\system\LVVOY.exeC:\windows\system\LVVOY.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SNVIM.exe.bat" "80⤵PID:4104
-
C:\windows\SysWOW64\SNVIM.exeC:\windows\system32\SNVIM.exe81⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\COXVPF.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\windows\COXVPF.exeC:\windows\COXVPF.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SLEYBR.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\windows\system\SLEYBR.exeC:\windows\system\SLEYBR.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\THITG.exe.bat" "86⤵PID:1276
-
C:\windows\SysWOW64\THITG.exeC:\windows\system32\THITG.exe87⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EZLMPW.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\windows\EZLMPW.exeC:\windows\EZLMPW.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPR.exe.bat" "90⤵PID:4736
-
C:\windows\SysWOW64\IPR.exeC:\windows\system32\IPR.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TIMN.exe.bat" "92⤵PID:1488
-
C:\windows\TIMN.exeC:\windows\TIMN.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OVRWLW.exe.bat" "94⤵PID:2904
-
C:\windows\OVRWLW.exeC:\windows\OVRWLW.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UVZKUQ.exe.bat" "96⤵PID:2532
-
C:\windows\UVZKUQ.exeC:\windows\UVZKUQ.exe97⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QBF.exe.bat" "98⤵PID:3436
-
C:\windows\QBF.exeC:\windows\QBF.exe99⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SRYB.exe.bat" "100⤵PID:1740
-
C:\windows\system\SRYB.exeC:\windows\system\SRYB.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BEITY.exe.bat" "102⤵PID:2560
-
C:\windows\BEITY.exeC:\windows\BEITY.exe103⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YKORFD.exe.bat" "104⤵PID:3376
-
C:\windows\SysWOW64\YKORFD.exeC:\windows\system32\YKORFD.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCRJNKF.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\windows\SysWOW64\JCRJNKF.exeC:\windows\system32\JCRJNKF.exe107⤵
- Checks computer location settings
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EPWT.exe.bat" "108⤵PID:1912
-
C:\windows\system\EPWT.exeC:\windows\system\EPWT.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVOHZ.exe.bat" "110⤵PID:4236
-
C:\windows\SysWOW64\MVOHZ.exeC:\windows\system32\MVOHZ.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KVWVI.exe.bat" "112⤵PID:4840
-
C:\windows\system\KVWVI.exeC:\windows\system\KVWVI.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WLKVU.exe.bat" "114⤵PID:4912
-
C:\windows\SysWOW64\WLKVU.exeC:\windows\system32\WLKVU.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QZHEEK.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\windows\SysWOW64\QZHEEK.exeC:\windows\system32\QZHEEK.exe117⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FENBLT.exe.bat" "118⤵PID:3120
-
C:\windows\system\FENBLT.exeC:\windows\system\FENBLT.exe119⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HRS.exe.bat" "120⤵PID:1632
-
C:\windows\system\HRS.exeC:\windows\system\HRS.exe121⤵
- Checks computer location settings
- Executes dropped EXE
PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-