Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 13:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60664e5230f58890ff12552c3775d0d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
60664e5230f58890ff12552c3775d0d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
60664e5230f58890ff12552c3775d0d0N.exe
-
Size
384KB
-
MD5
60664e5230f58890ff12552c3775d0d0
-
SHA1
dfb69bf6036265233b7b09cdc2f40fc26feb1d36
-
SHA256
1c22dcb575a1dbb2a812d3a8e400bc70053ecc8e01504094db7f6e0161218d1b
-
SHA512
6b00d15b984769d567e1d347f3ec2bc833f4d0d8063f279ed2f44e9f859c92bcdee55d05d9ee14374efb35b0b71b327b1dde16d6f432e1268cf5e1d95f092c6e
-
SSDEEP
6144:QYTUD0v6332Ace4Xd3kEjiPISUOgW9X+hOGzC/NM:QYTUDxMd3kmZzcukG2/
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WYFWYNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HCEOZAL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QULS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TKRCGYC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation GSEQIPP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FCBIDGY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QAREA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TGFRG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MPLT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation VRHSYGV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BSSFSYJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DACAA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PTXSJF.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XXAOSNL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation PWUSV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UURO.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LMNRCIA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ABI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QWRNHK.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LAHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MYB.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QMLONN.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UYYIS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LAHDZY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EDGQCE.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UADX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation CEZTUIL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FVC.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TYUIT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation LMZMOWI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WQI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation AMKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TBBIBBP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UJLHOS.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation XPV.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation RRJHOHD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HTI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation JRMD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MFZYY.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ATA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UYZF.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WMQL.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UQAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QNAVSJE.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IBT.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation YRX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation QWDJRUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UULRVEN.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation YFKCI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IIDD.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BNMNUXI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation KQBLR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation EZLMPW.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FTYQG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation SGG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DSLP.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IUX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation HAPCPDX.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation IGJUKUA.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation MVOGEG.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation TZPYCJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation NZRHI.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation FQFR.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation UPGD.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 IUX.exe 2120 WQI.exe 1620 ATA.exe 5080 WYFWYNH.exe 4984 TZPYCJ.exe 2184 XXAOSNL.exe 4272 LCIZUY.exe 4892 EQTXI.exe 4244 KQBLR.exe 4336 KTTWB.exe 1620 ZOC.exe 4164 AMKJ.exe 5044 UAPSGW.exe 2756 WXVNN.exe 1344 JAFAWJM.exe 1908 FGXPNM.exe 1804 TBBIBBP.exe 112 THB.exe 3672 AZRF.exe 3464 XSAPY.exe 2388 UQAZ.exe 2356 UWSNQ.exe 3236 GZDTZBD.exe 364 QWRNHK.exe 1620 RULOAG.exe 3508 QKKZEZ.exe 960 QNAVSJE.exe 2112 UYYIS.exe 1344 UYZF.exe 540 EBQJ.exe 2748 LMNRCIA.exe 208 EPRV.exe 2424 LAHDZY.exe 4164 HFMAGH.exe 4552 NBQ.exe 3028 XZENC.exe 244 MPLT.exe 1828 CFSWQH.exe 740 FVNL.exe 3076 YIZJ.exe 4312 KQFJZS.exe 2920 OBQ.exe 4204 PWUSV.exe 224 SNPHD.exe 2096 HDQGKW.exe 4920 XTD.exe 4716 LOP.exe 408 YRX.exe 1812 VRHSYGV.exe 2100 QCQRM.exe 1056 HCEOZAL.exe 4012 EDGQCE.exe 1972 VLUVPVX.exe 2384 HEX.exe 2964 KMGD.exe 1620 EZLMPW.exe 3988 FCBIDGY.exe 4656 YVJTNZH.exe 1544 UADX.exe 1156 FTYQG.exe 2080 UJLHOS.exe 3708 KZMZ.exe 1888 OPTHHY.exe 4412 XPV.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\MIVDGR.exe YCPF.exe File created C:\windows\SysWOW64\PTXSJF.exe.bat DACAA.exe File created C:\windows\SysWOW64\XXAOSNL.exe.bat TZPYCJ.exe File opened for modification C:\windows\SysWOW64\EASUC.exe XPV.exe File created C:\windows\SysWOW64\CRA.exe GTUSEJ.exe File opened for modification C:\windows\SysWOW64\KAGPT.exe LMZMOWI.exe File created C:\windows\SysWOW64\YCPF.exe.bat GHRN.exe File created C:\windows\SysWOW64\LCIZUY.exe XXAOSNL.exe File created C:\windows\SysWOW64\YVJTNZH.exe.bat FCBIDGY.exe File opened for modification C:\windows\SysWOW64\HAPCPDX.exe UPGD.exe File created C:\windows\SysWOW64\QMCTMXU.exe.bat GUSLH.exe File opened for modification C:\windows\SysWOW64\LAHDZY.exe EPRV.exe File created C:\windows\SysWOW64\WVNUT.exe.bat GSEQIPP.exe File opened for modification C:\windows\SysWOW64\UURO.exe QMLONN.exe File opened for modification C:\windows\SysWOW64\NZRHI.exe QULS.exe File created C:\windows\SysWOW64\YCPF.exe GHRN.exe File opened for modification C:\windows\SysWOW64\XXAOSNL.exe TZPYCJ.exe File created C:\windows\SysWOW64\HFMAGH.exe.bat LAHDZY.exe File opened for modification C:\windows\SysWOW64\GAKNQS.exe MIVDGR.exe File created C:\windows\SysWOW64\UURO.exe QMLONN.exe File opened for modification C:\windows\SysWOW64\UJLHOS.exe FTYQG.exe File created C:\windows\SysWOW64\VTYJNGR.exe OYOF.exe File opened for modification C:\windows\SysWOW64\ABI.exe IBT.exe File opened for modification C:\windows\SysWOW64\PTXSJF.exe DACAA.exe File opened for modification C:\windows\SysWOW64\PBYI.exe IIJZEY.exe File opened for modification C:\windows\SysWOW64\WVNUT.exe GSEQIPP.exe File created C:\windows\SysWOW64\PBYI.exe.bat IIJZEY.exe File created C:\windows\SysWOW64\JAFAWJM.exe.bat WXVNN.exe File created C:\windows\SysWOW64\LAHDZY.exe EPRV.exe File created C:\windows\SysWOW64\TKRCGYC.exe.bat UULRVEN.exe File created C:\windows\SysWOW64\QMLONN.exe.bat TGFRG.exe File created C:\windows\SysWOW64\DACAA.exe FQFR.exe File opened for modification C:\windows\SysWOW64\LCIZUY.exe XXAOSNL.exe File created C:\windows\SysWOW64\YVJTNZH.exe FCBIDGY.exe File created C:\windows\SysWOW64\EASUC.exe XPV.exe File created C:\windows\SysWOW64\HAPCPDX.exe UPGD.exe File created C:\windows\SysWOW64\DRWIAO.exe HAU.exe File opened for modification C:\windows\SysWOW64\ZPPV.exe RKKO.exe File created C:\windows\SysWOW64\UAPSGW.exe.bat AMKJ.exe File created C:\windows\SysWOW64\NBQ.exe HFMAGH.exe File created C:\windows\SysWOW64\EDGQCE.exe.bat HCEOZAL.exe File created C:\windows\SysWOW64\ACPMKUR.exe.bat IGJUKUA.exe File created C:\windows\SysWOW64\GAKNQS.exe MIVDGR.exe File created C:\windows\SysWOW64\KAGPT.exe LMZMOWI.exe File opened for modification C:\windows\SysWOW64\JRMD.exe XGB.exe File created C:\windows\SysWOW64\BNMNUXI.exe.bat WMQL.exe File created C:\windows\SysWOW64\PBYI.exe IIJZEY.exe File created C:\windows\SysWOW64\ZPPV.exe RKKO.exe File created C:\windows\SysWOW64\MFZYY.exe.bat SRO.exe File created C:\windows\SysWOW64\UURO.exe.bat QMLONN.exe File created C:\windows\SysWOW64\JAFAWJM.exe WXVNN.exe File created C:\windows\SysWOW64\XZENC.exe NBQ.exe File created C:\windows\SysWOW64\KMGD.exe.bat HEX.exe File created C:\windows\SysWOW64\KAGPT.exe.bat LMZMOWI.exe File created C:\windows\SysWOW64\MIVDGR.exe.bat YCPF.exe File opened for modification C:\windows\SysWOW64\UAPSGW.exe AMKJ.exe File created C:\windows\SysWOW64\BSSFSYJ.exe.bat RUM.exe File created C:\windows\SysWOW64\GAKNQS.exe.bat MIVDGR.exe File created C:\windows\SysWOW64\JRMD.exe XGB.exe File created C:\windows\SysWOW64\DACAA.exe.bat FQFR.exe File created C:\windows\SysWOW64\NZRHI.exe.bat QULS.exe File opened for modification C:\windows\SysWOW64\ACPMKUR.exe IGJUKUA.exe File created C:\windows\SysWOW64\BSSFSYJ.exe RUM.exe File created C:\windows\SysWOW64\DRWIAO.exe.bat HAU.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\AZRF.exe THB.exe File created C:\windows\GZDTZBD.exe UWSNQ.exe File created C:\windows\EBQJ.exe.bat UYZF.exe File opened for modification C:\windows\DSLP.exe UURO.exe File created C:\windows\system\WYFWYNH.exe ATA.exe File created C:\windows\system\HTI.exe.bat FVC.exe File created C:\windows\KOXUUWE.exe DTTBOAO.exe File created C:\windows\system\HAU.exe.bat MDHWM.exe File created C:\windows\AGFXBZC.exe.bat SSA.exe File opened for modification C:\windows\system\FQFR.exe DSLP.exe File created C:\windows\system\AZRF.exe.bat THB.exe File created C:\windows\MPLT.exe.bat XZENC.exe File opened for modification C:\windows\KQFJZS.exe YIZJ.exe File opened for modification C:\windows\system\MVOGEG.exe GAKNQS.exe File created C:\windows\WXVNN.exe UAPSGW.exe File created C:\windows\EPRV.exe.bat LMNRCIA.exe File created C:\windows\system\CEZTUIL.exe.bat ACPMKUR.exe File opened for modification C:\windows\UQAZ.exe XSAPY.exe File created C:\windows\system\QWDJRUZ.exe IQZ.exe File created C:\windows\SNPHD.exe.bat PWUSV.exe File opened for modification C:\windows\system\IBT.exe MVOGEG.exe File created C:\windows\SRO.exe JRMD.exe File created C:\windows\system\QWRNHK.exe GZDTZBD.exe File opened for modification C:\windows\RULOAG.exe QWRNHK.exe File created C:\windows\system\VLUVPVX.exe EDGQCE.exe File created C:\windows\system\QULS.exe QWDJRUZ.exe File created C:\windows\system\AZRF.exe THB.exe File created C:\windows\QCQRM.exe.bat VRHSYGV.exe File created C:\windows\system\AUIMZC.exe.bat VTYJNGR.exe File created C:\windows\OTMKZ.exe.bat HAPCPDX.exe File opened for modification C:\windows\TYUIT.exe AGFXBZC.exe File created C:\windows\SRO.exe.bat JRMD.exe File opened for modification C:\windows\system\EQTXI.exe LCIZUY.exe File created C:\windows\system\EQTXI.exe.bat LCIZUY.exe File created C:\windows\RULOAG.exe.bat QWRNHK.exe File created C:\windows\XTD.exe.bat HDQGKW.exe File opened for modification C:\windows\THB.exe TBBIBBP.exe File created C:\windows\system\VRHSYGV.exe.bat YRX.exe File opened for modification C:\windows\EZLMPW.exe KMGD.exe File created C:\windows\HDQGKW.exe SNPHD.exe File created C:\windows\IQZ.exe EASUC.exe File created C:\windows\GUSLH.exe RRJHOHD.exe File created C:\windows\KQBLR.exe EQTXI.exe File opened for modification C:\windows\MPLT.exe XZENC.exe File created C:\windows\YRX.exe.bat LOP.exe File opened for modification C:\windows\MLMEPPF.exe DRWIAO.exe File created C:\windows\system\YFKCI.exe AUIMZC.exe File created C:\windows\system\IBT.exe MVOGEG.exe File opened for modification C:\windows\GSEQIPP.exe MFZYY.exe File created C:\windows\FGXPNM.exe JAFAWJM.exe File created C:\windows\LMNRCIA.exe EBQJ.exe File created C:\windows\system\LOP.exe.bat XTD.exe File created C:\windows\system\VRHSYGV.exe YRX.exe File created C:\windows\system\RKKO.exe.bat ABI.exe File created C:\windows\OBQ.exe KQFJZS.exe File created C:\windows\system\XPV.exe.bat OPTHHY.exe File created C:\windows\system\IGJUKUA.exe OTMKZ.exe File created C:\windows\ZIBXWR.exe.bat YFKCI.exe File created C:\windows\DSLP.exe UURO.exe File created C:\windows\YIZJ.exe.bat FVNL.exe File opened for modification C:\windows\system\VRHSYGV.exe YRX.exe File opened for modification C:\windows\GUSLH.exe RRJHOHD.exe File opened for modification C:\windows\TGFRG.exe WVNUT.exe File opened for modification C:\windows\SGG.exe HNR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3016 4720 WerFault.exe 82 1488 2336 WerFault.exe 90 2004 2120 WerFault.exe 97 1848 1620 WerFault.exe 102 1468 5080 WerFault.exe 107 208 4984 WerFault.exe 112 3932 2184 WerFault.exe 119 2476 4272 WerFault.exe 126 2152 4892 WerFault.exe 131 3868 4244 WerFault.exe 136 2440 4336 WerFault.exe 141 1796 1620 WerFault.exe 147 2448 4164 WerFault.exe 152 3988 5044 WerFault.exe 157 3448 2756 WerFault.exe 164 2028 1344 WerFault.exe 169 2856 1908 WerFault.exe 174 1468 1804 WerFault.exe 179 2080 112 WerFault.exe 184 4164 3672 WerFault.exe 189 4204 3464 WerFault.exe 194 4728 2388 WerFault.exe 199 1404 2356 WerFault.exe 204 1160 3236 WerFault.exe 209 836 364 WerFault.exe 214 2592 1620 WerFault.exe 219 4748 3508 WerFault.exe 224 4272 960 WerFault.exe 229 4428 2112 WerFault.exe 234 1444 1344 WerFault.exe 239 4240 540 WerFault.exe 244 184 2748 WerFault.exe 249 1772 208 WerFault.exe 254 2756 2424 WerFault.exe 259 1888 4164 WerFault.exe 265 3544 4552 WerFault.exe 270 1848 3028 WerFault.exe 275 5028 244 WerFault.exe 280 2092 1828 WerFault.exe 286 2188 740 WerFault.exe 291 4260 3076 WerFault.exe 296 2116 4312 WerFault.exe 301 4452 2920 WerFault.exe 306 3136 4204 WerFault.exe 311 1904 224 WerFault.exe 316 1100 2096 WerFault.exe 321 3204 4920 WerFault.exe 326 532 4716 WerFault.exe 331 2596 408 WerFault.exe 336 2116 1812 WerFault.exe 341 1168 2100 WerFault.exe 346 2936 1056 WerFault.exe 351 2080 4012 WerFault.exe 356 1160 1972 WerFault.exe 361 2476 2384 WerFault.exe 366 1800 2964 WerFault.exe 371 1432 1620 WerFault.exe 376 3168 3988 WerFault.exe 381 3704 4656 WerFault.exe 386 1488 1544 WerFault.exe 391 4644 1156 WerFault.exe 396 4348 2080 WerFault.exe 401 3868 3708 WerFault.exe 406 3200 1888 WerFault.exe 411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QMLONN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FVNL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UURO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EBQJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VRHSYGV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MFZYY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NEIIR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UQAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TYUIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HTI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VTYJNGR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WXVNN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TKRCGYC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FVC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KOXUUWE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DRWIAO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HNR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IBT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language THB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XTD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DSLP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WYFWYNH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RRJHOHD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SUJB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IQZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MDHWM.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 60664e5230f58890ff12552c3775d0d0N.exe 4720 60664e5230f58890ff12552c3775d0d0N.exe 2336 IUX.exe 2336 IUX.exe 2120 WQI.exe 2120 WQI.exe 1620 ATA.exe 1620 ATA.exe 5080 WYFWYNH.exe 5080 WYFWYNH.exe 4984 TZPYCJ.exe 4984 TZPYCJ.exe 2184 XXAOSNL.exe 2184 XXAOSNL.exe 4272 LCIZUY.exe 4272 LCIZUY.exe 4892 EQTXI.exe 4892 EQTXI.exe 4244 KQBLR.exe 4244 KQBLR.exe 4336 KTTWB.exe 4336 KTTWB.exe 1620 ZOC.exe 1620 ZOC.exe 4164 AMKJ.exe 4164 AMKJ.exe 5044 UAPSGW.exe 5044 UAPSGW.exe 2756 WXVNN.exe 2756 WXVNN.exe 1344 JAFAWJM.exe 1344 JAFAWJM.exe 1908 FGXPNM.exe 1908 FGXPNM.exe 1804 TBBIBBP.exe 1804 TBBIBBP.exe 112 THB.exe 112 THB.exe 3672 AZRF.exe 3672 AZRF.exe 3464 XSAPY.exe 3464 XSAPY.exe 2388 UQAZ.exe 2388 UQAZ.exe 2356 UWSNQ.exe 2356 UWSNQ.exe 3236 GZDTZBD.exe 3236 GZDTZBD.exe 364 QWRNHK.exe 364 QWRNHK.exe 1620 RULOAG.exe 1620 RULOAG.exe 3508 QKKZEZ.exe 3508 QKKZEZ.exe 960 QNAVSJE.exe 960 QNAVSJE.exe 2112 UYYIS.exe 2112 UYYIS.exe 1344 UYZF.exe 1344 UYZF.exe 540 EBQJ.exe 540 EBQJ.exe 2748 LMNRCIA.exe 2748 LMNRCIA.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4720 60664e5230f58890ff12552c3775d0d0N.exe 4720 60664e5230f58890ff12552c3775d0d0N.exe 2336 IUX.exe 2336 IUX.exe 2120 WQI.exe 2120 WQI.exe 1620 ATA.exe 1620 ATA.exe 5080 WYFWYNH.exe 5080 WYFWYNH.exe 4984 TZPYCJ.exe 4984 TZPYCJ.exe 2184 XXAOSNL.exe 2184 XXAOSNL.exe 4272 LCIZUY.exe 4272 LCIZUY.exe 4892 EQTXI.exe 4892 EQTXI.exe 4244 KQBLR.exe 4244 KQBLR.exe 4336 KTTWB.exe 4336 KTTWB.exe 1620 ZOC.exe 1620 ZOC.exe 4164 AMKJ.exe 4164 AMKJ.exe 5044 UAPSGW.exe 5044 UAPSGW.exe 2756 WXVNN.exe 2756 WXVNN.exe 1344 JAFAWJM.exe 1344 JAFAWJM.exe 1908 FGXPNM.exe 1908 FGXPNM.exe 1804 TBBIBBP.exe 1804 TBBIBBP.exe 112 THB.exe 112 THB.exe 3672 AZRF.exe 3672 AZRF.exe 3464 XSAPY.exe 3464 XSAPY.exe 2388 UQAZ.exe 2388 UQAZ.exe 2356 UWSNQ.exe 2356 UWSNQ.exe 3236 GZDTZBD.exe 3236 GZDTZBD.exe 364 QWRNHK.exe 364 QWRNHK.exe 1620 RULOAG.exe 1620 RULOAG.exe 3508 QKKZEZ.exe 3508 QKKZEZ.exe 960 QNAVSJE.exe 960 QNAVSJE.exe 2112 UYYIS.exe 2112 UYYIS.exe 1344 UYZF.exe 1344 UYZF.exe 540 EBQJ.exe 540 EBQJ.exe 2748 LMNRCIA.exe 2748 LMNRCIA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4268 4720 60664e5230f58890ff12552c3775d0d0N.exe 86 PID 4720 wrote to memory of 4268 4720 60664e5230f58890ff12552c3775d0d0N.exe 86 PID 4720 wrote to memory of 4268 4720 60664e5230f58890ff12552c3775d0d0N.exe 86 PID 4268 wrote to memory of 2336 4268 cmd.exe 90 PID 4268 wrote to memory of 2336 4268 cmd.exe 90 PID 4268 wrote to memory of 2336 4268 cmd.exe 90 PID 2336 wrote to memory of 1392 2336 IUX.exe 93 PID 2336 wrote to memory of 1392 2336 IUX.exe 93 PID 2336 wrote to memory of 1392 2336 IUX.exe 93 PID 1392 wrote to memory of 2120 1392 cmd.exe 97 PID 1392 wrote to memory of 2120 1392 cmd.exe 97 PID 1392 wrote to memory of 2120 1392 cmd.exe 97 PID 2120 wrote to memory of 2856 2120 WQI.exe 98 PID 2120 wrote to memory of 2856 2120 WQI.exe 98 PID 2120 wrote to memory of 2856 2120 WQI.exe 98 PID 2856 wrote to memory of 1620 2856 cmd.exe 102 PID 2856 wrote to memory of 1620 2856 cmd.exe 102 PID 2856 wrote to memory of 1620 2856 cmd.exe 102 PID 1620 wrote to memory of 2172 1620 ATA.exe 103 PID 1620 wrote to memory of 2172 1620 ATA.exe 103 PID 1620 wrote to memory of 2172 1620 ATA.exe 103 PID 2172 wrote to memory of 5080 2172 cmd.exe 107 PID 2172 wrote to memory of 5080 2172 cmd.exe 107 PID 2172 wrote to memory of 5080 2172 cmd.exe 107 PID 5080 wrote to memory of 1864 5080 WYFWYNH.exe 108 PID 5080 wrote to memory of 1864 5080 WYFWYNH.exe 108 PID 5080 wrote to memory of 1864 5080 WYFWYNH.exe 108 PID 1864 wrote to memory of 4984 1864 cmd.exe 112 PID 1864 wrote to memory of 4984 1864 cmd.exe 112 PID 1864 wrote to memory of 4984 1864 cmd.exe 112 PID 4984 wrote to memory of 2900 4984 TZPYCJ.exe 115 PID 4984 wrote to memory of 2900 4984 TZPYCJ.exe 115 PID 4984 wrote to memory of 2900 4984 TZPYCJ.exe 115 PID 2900 wrote to memory of 2184 2900 cmd.exe 119 PID 2900 wrote to memory of 2184 2900 cmd.exe 119 PID 2900 wrote to memory of 2184 2900 cmd.exe 119 PID 2184 wrote to memory of 4348 2184 XXAOSNL.exe 121 PID 2184 wrote to memory of 4348 2184 XXAOSNL.exe 121 PID 2184 wrote to memory of 4348 2184 XXAOSNL.exe 121 PID 4348 wrote to memory of 4272 4348 cmd.exe 126 PID 4348 wrote to memory of 4272 4348 cmd.exe 126 PID 4348 wrote to memory of 4272 4348 cmd.exe 126 PID 4272 wrote to memory of 2392 4272 LCIZUY.exe 127 PID 4272 wrote to memory of 2392 4272 LCIZUY.exe 127 PID 4272 wrote to memory of 2392 4272 LCIZUY.exe 127 PID 2392 wrote to memory of 4892 2392 cmd.exe 131 PID 2392 wrote to memory of 4892 2392 cmd.exe 131 PID 2392 wrote to memory of 4892 2392 cmd.exe 131 PID 4892 wrote to memory of 3016 4892 EQTXI.exe 132 PID 4892 wrote to memory of 3016 4892 EQTXI.exe 132 PID 4892 wrote to memory of 3016 4892 EQTXI.exe 132 PID 3016 wrote to memory of 4244 3016 cmd.exe 136 PID 3016 wrote to memory of 4244 3016 cmd.exe 136 PID 3016 wrote to memory of 4244 3016 cmd.exe 136 PID 4244 wrote to memory of 2180 4244 KQBLR.exe 137 PID 4244 wrote to memory of 2180 4244 KQBLR.exe 137 PID 4244 wrote to memory of 2180 4244 KQBLR.exe 137 PID 2180 wrote to memory of 4336 2180 cmd.exe 141 PID 2180 wrote to memory of 4336 2180 cmd.exe 141 PID 2180 wrote to memory of 4336 2180 cmd.exe 141 PID 4336 wrote to memory of 4896 4336 KTTWB.exe 143 PID 4336 wrote to memory of 4896 4336 KTTWB.exe 143 PID 4336 wrote to memory of 4896 4336 KTTWB.exe 143 PID 4896 wrote to memory of 1620 4896 cmd.exe 147
Processes
-
C:\Users\Admin\AppData\Local\Temp\60664e5230f58890ff12552c3775d0d0N.exe"C:\Users\Admin\AppData\Local\Temp\60664e5230f58890ff12552c3775d0d0N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IUX.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\windows\IUX.exeC:\windows\IUX.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WQI.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\windows\WQI.exeC:\windows\WQI.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ATA.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\windows\system\ATA.exeC:\windows\system\ATA.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WYFWYNH.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\windows\system\WYFWYNH.exeC:\windows\system\WYFWYNH.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TZPYCJ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\windows\TZPYCJ.exeC:\windows\TZPYCJ.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XXAOSNL.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\windows\SysWOW64\XXAOSNL.exeC:\windows\system32\XXAOSNL.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCIZUY.exe.bat" "14⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\windows\SysWOW64\LCIZUY.exeC:\windows\system32\LCIZUY.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EQTXI.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\windows\system\EQTXI.exeC:\windows\system\EQTXI.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KQBLR.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\windows\KQBLR.exeC:\windows\KQBLR.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KTTWB.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\windows\KTTWB.exeC:\windows\KTTWB.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZOC.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\windows\ZOC.exeC:\windows\ZOC.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMKJ.exe.bat" "24⤵PID:1328
-
C:\windows\system\AMKJ.exeC:\windows\system\AMKJ.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAPSGW.exe.bat" "26⤵PID:788
-
C:\windows\SysWOW64\UAPSGW.exeC:\windows\system32\UAPSGW.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXVNN.exe.bat" "28⤵PID:1000
-
C:\windows\WXVNN.exeC:\windows\WXVNN.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAFAWJM.exe.bat" "30⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\windows\SysWOW64\JAFAWJM.exeC:\windows\system32\JAFAWJM.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FGXPNM.exe.bat" "32⤵PID:1656
-
C:\windows\FGXPNM.exeC:\windows\FGXPNM.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TBBIBBP.exe.bat" "34⤵PID:2280
-
C:\windows\system\TBBIBBP.exeC:\windows\system\TBBIBBP.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\THB.exe.bat" "36⤵PID:4168
-
C:\windows\THB.exeC:\windows\THB.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AZRF.exe.bat" "38⤵PID:788
-
C:\windows\system\AZRF.exeC:\windows\system\AZRF.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XSAPY.exe.bat" "40⤵PID:4572
-
C:\windows\system\XSAPY.exeC:\windows\system\XSAPY.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UQAZ.exe.bat" "42⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\windows\UQAZ.exeC:\windows\UQAZ.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UWSNQ.exe.bat" "44⤵PID:1904
-
C:\windows\SysWOW64\UWSNQ.exeC:\windows\system32\UWSNQ.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GZDTZBD.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\windows\GZDTZBD.exeC:\windows\GZDTZBD.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QWRNHK.exe.bat" "48⤵PID:4240
-
C:\windows\system\QWRNHK.exeC:\windows\system\QWRNHK.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RULOAG.exe.bat" "50⤵PID:184
-
C:\windows\RULOAG.exeC:\windows\RULOAG.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QKKZEZ.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\windows\system\QKKZEZ.exeC:\windows\system\QKKZEZ.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QNAVSJE.exe.bat" "54⤵PID:3696
-
C:\windows\SysWOW64\QNAVSJE.exeC:\windows\system32\QNAVSJE.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UYYIS.exe.bat" "56⤵PID:2184
-
C:\windows\system\UYYIS.exeC:\windows\system\UYYIS.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\UYZF.exe.bat" "58⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\windows\system\UYZF.exeC:\windows\system\UYZF.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "60⤵PID:3208
-
C:\windows\EBQJ.exeC:\windows\EBQJ.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LMNRCIA.exe.bat" "62⤵PID:4680
-
C:\windows\LMNRCIA.exeC:\windows\LMNRCIA.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EPRV.exe.bat" "64⤵PID:4644
-
C:\windows\EPRV.exeC:\windows\EPRV.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LAHDZY.exe.bat" "66⤵PID:4964
-
C:\windows\SysWOW64\LAHDZY.exeC:\windows\system32\LAHDZY.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HFMAGH.exe.bat" "68⤵PID:1620
-
C:\windows\SysWOW64\HFMAGH.exeC:\windows\system32\HFMAGH.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\windows\SysWOW64\NBQ.exeC:\windows\system32\NBQ.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZENC.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\windows\SysWOW64\XZENC.exeC:\windows\system32\XZENC.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MPLT.exe.bat" "74⤵PID:2120
-
C:\windows\MPLT.exeC:\windows\MPLT.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CFSWQH.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\windows\CFSWQH.exeC:\windows\CFSWQH.exe77⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FVNL.exe.bat" "78⤵PID:4336
-
C:\windows\system\FVNL.exeC:\windows\system\FVNL.exe79⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YIZJ.exe.bat" "80⤵PID:4384
-
C:\windows\YIZJ.exeC:\windows\YIZJ.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KQFJZS.exe.bat" "82⤵PID:4928
-
C:\windows\KQFJZS.exeC:\windows\KQFJZS.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBQ.exe.bat" "84⤵PID:3920
-
C:\windows\OBQ.exeC:\windows\OBQ.exe85⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PWUSV.exe.bat" "86⤵PID:3432
-
C:\windows\PWUSV.exeC:\windows\PWUSV.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SNPHD.exe.bat" "88⤵PID:4896
-
C:\windows\SNPHD.exeC:\windows\SNPHD.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HDQGKW.exe.bat" "90⤵PID:1996
-
C:\windows\HDQGKW.exeC:\windows\HDQGKW.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XTD.exe.bat" "92⤵PID:1016
-
C:\windows\XTD.exeC:\windows\XTD.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LOP.exe.bat" "94⤵PID:1468
-
C:\windows\system\LOP.exeC:\windows\system\LOP.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YRX.exe.bat" "96⤵PID:1052
-
C:\windows\YRX.exeC:\windows\YRX.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VRHSYGV.exe.bat" "98⤵PID:4260
-
C:\windows\system\VRHSYGV.exeC:\windows\system\VRHSYGV.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QCQRM.exe.bat" "100⤵PID:1864
-
C:\windows\QCQRM.exeC:\windows\QCQRM.exe101⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HCEOZAL.exe.bat" "102⤵PID:3208
-
C:\windows\system\HCEOZAL.exeC:\windows\system\HCEOZAL.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EDGQCE.exe.bat" "104⤵PID:2504
-
C:\windows\SysWOW64\EDGQCE.exeC:\windows\system32\EDGQCE.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VLUVPVX.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\windows\system\VLUVPVX.exeC:\windows\system\VLUVPVX.exe107⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HEX.exe.bat" "108⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\windows\HEX.exeC:\windows\HEX.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMGD.exe.bat" "110⤵PID:2188
-
C:\windows\SysWOW64\KMGD.exeC:\windows\system32\KMGD.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EZLMPW.exe.bat" "112⤵PID:4340
-
C:\windows\EZLMPW.exeC:\windows\EZLMPW.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FCBIDGY.exe.bat" "114⤵PID:3296
-
C:\windows\system\FCBIDGY.exeC:\windows\system\FCBIDGY.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YVJTNZH.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\windows\SysWOW64\YVJTNZH.exeC:\windows\system32\YVJTNZH.exe117⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UADX.exe.bat" "118⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\windows\UADX.exeC:\windows\UADX.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FTYQG.exe.bat" "120⤵PID:1404
-
C:\windows\system\FTYQG.exeC:\windows\system\FTYQG.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-