Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 12:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe
-
Size
208KB
-
MD5
d7e3b7840c38cbde3c8f0d0793d8e220
-
SHA1
9f508f8b8d3e6c99041c9dcfacd2d703d2b8af2d
-
SHA256
a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5b
-
SHA512
b84a1ad33b587a64684f901cb25c21c2a692e4e2d820a82484e17cec6e5287ee8b4a0cf1b96217763ca5970426ab0188bb8ed9953777417847433362086bbe58
-
SSDEEP
3072:+X1weiQuIe9rW2UFJ+h0u7aIXVDrxBe/r4NLthEjQT6W:celQuji3J+d+yPxkQEjE
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation NBKXUV.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation IQWH.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation SAX.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation TED.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ZVIXIHW.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation GBMQQF.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation GZZWNIW.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ILTCE.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation MMR.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation VIEZAM.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation YWC.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation BHHBLY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation XLPRM.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ECIPZTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation KOAW.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation CQBNZX.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation BJTUT.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation DLVJZIW.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation AGAXPHS.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation UKST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation IPN.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation CHU.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation SSUT.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation TJHLW.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation YBZODGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation XKKU.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation DEFORJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation TVY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation QXASNF.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation WDNTN.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation RMWZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation RXFQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation PHVUM.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation GQHI.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation OUINJD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation EOCES.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation PAG.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation NOIYZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation GFVFH.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation LAC.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation MLYZXH.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation QQPG.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation KVZWFUD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ECFNTZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation AQZVBEY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation SNU.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation GAN.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation MMPNJJY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation UTF.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ZRMPR.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation XYA.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation JGD.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation XRK.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation OMHXAY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation DFBDSV.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation NWFBDEX.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation CXOFVZK.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation XGQVLFY.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation TGESJEC.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation PFN.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation UDYQTDP.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ILB.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation JMXLNO.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation FZW.exe -
Executes dropped EXE 64 IoCs
pid Process 4516 RXFQQ.exe 3260 QQPG.exe 3940 ILTCE.exe 2188 HISEIGS.exe 2328 FJASZBT.exe 1504 HZB.exe 2320 UJXTLPE.exe 2116 HUFRRSZ.exe 1916 PAG.exe 1872 XFSNDDP.exe 1368 XYT.exe 1212 IQWH.exe 3684 QBEA.exe 2432 KWJSPA.exe 3860 JKI.exe 1496 YFSXFQ.exe 4128 SAX.exe 3344 CYC.exe 1072 ILB.exe 2064 SYMTRY.exe 4208 MMR.exe 3588 PHVUM.exe 3420 UKST.exe 3316 FCVLZ.exe 4868 AQZVBEY.exe 3552 GQHI.exe 2396 GEZXU.exe 2736 NOIYZ.exe 1040 OUINJD.exe 4360 IPN.exe 1348 FMLL.exe 4016 KNSZJGD.exe 2652 JGD.exe 2456 NOK.exe 2404 XLPRM.exe 3596 XRPYNA.exe 2188 XKY.exe 2036 AXVJL.exe 4804 SAHMRCE.exe 4612 NNMW.exe 3548 TNLKKW.exe 1860 NBQ.exe 380 XZENC.exe 1692 IRZGKM.exe 2020 WXHSM.exe 3976 CXOFVZK.exe 3932 GFVFH.exe 2896 TIREMJ.exe 4756 JGYPY.exe 3412 TED.exe 4636 DEFORJ.exe 924 XRK.exe 880 PAMD.exe 1880 CKVBTJF.exe 2900 RAWTRE.exe 4672 KVZWFUD.exe 3968 XGQVLFY.exe 1840 HEVHB.exe 468 EKBFIXJ.exe 2212 JMXLNO.exe 4624 LAC.exe 780 VIEZAM.exe 4756 ZQL.exe 824 OGMZTRF.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\XYT.exe.bat XFSNDDP.exe File opened for modification C:\windows\SysWOW64\ECFNTZ.exe KOAW.exe File opened for modification C:\windows\SysWOW64\DSH.exe MUAO.exe File created C:\windows\SysWOW64\CRLWB.exe NBKXUV.exe File opened for modification C:\windows\SysWOW64\NJCWY.exe RMWZ.exe File created C:\windows\SysWOW64\XFK.exe MMPNJJY.exe File created C:\windows\SysWOW64\KNSZJGD.exe FMLL.exe File opened for modification C:\windows\SysWOW64\CXOFVZK.exe WXHSM.exe File opened for modification C:\windows\SysWOW64\MLYZXH.exe OAVJPBI.exe File opened for modification C:\windows\SysWOW64\KOAW.exe HBD.exe File created C:\windows\SysWOW64\GQHI.exe.bat AQZVBEY.exe File opened for modification C:\windows\SysWOW64\NOIYZ.exe GEZXU.exe File created C:\windows\SysWOW64\XLPRM.exe NOK.exe File created C:\windows\SysWOW64\ZQL.exe VIEZAM.exe File created C:\windows\SysWOW64\KHGEZ.exe GZZWNIW.exe File created C:\windows\SysWOW64\AQZVBEY.exe.bat FCVLZ.exe File created C:\windows\SysWOW64\HEVHB.exe.bat XGQVLFY.exe File created C:\windows\SysWOW64\NOIYZ.exe.bat GEZXU.exe File created C:\windows\SysWOW64\NOK.exe JGD.exe File opened for modification C:\windows\SysWOW64\QVWGP.exe TQQJ.exe File opened for modification C:\windows\SysWOW64\FJASZBT.exe HISEIGS.exe File created C:\windows\SysWOW64\MMR.exe.bat SYMTRY.exe File opened for modification C:\windows\SysWOW64\AQZVBEY.exe FCVLZ.exe File created C:\windows\SysWOW64\LAC.exe.bat JMXLNO.exe File created C:\windows\SysWOW64\RZHISS.exe TGESJEC.exe File created C:\windows\SysWOW64\ECFNTZ.exe.bat KOAW.exe File opened for modification C:\windows\SysWOW64\PFN.exe GAN.exe File opened for modification C:\windows\SysWOW64\OMHXAY.exe FZW.exe File created C:\windows\SysWOW64\HEVHB.exe XGQVLFY.exe File created C:\windows\SysWOW64\ZVIXIHW.exe KAZS.exe File opened for modification C:\windows\SysWOW64\WXI.exe QXASNF.exe File created C:\windows\SysWOW64\DSH.exe MUAO.exe File created C:\windows\SysWOW64\PFN.exe GAN.exe File created C:\windows\SysWOW64\HVZ.exe.bat JAADM.exe File opened for modification C:\windows\SysWOW64\GZZWNIW.exe CRLWB.exe File created C:\windows\SysWOW64\XSF.exe.bat DFBDSV.exe File created C:\windows\SysWOW64\UJXTLPE.exe.bat HZB.exe File created C:\windows\SysWOW64\XYT.exe XFSNDDP.exe File opened for modification C:\windows\SysWOW64\KNSZJGD.exe FMLL.exe File created C:\windows\SysWOW64\KNSZJGD.exe.bat FMLL.exe File created C:\windows\SysWOW64\KOAW.exe HBD.exe File created C:\windows\SysWOW64\YWC.exe.bat JBKXB.exe File opened for modification C:\windows\SysWOW64\DFBDSV.exe BHHBLY.exe File opened for modification C:\windows\SysWOW64\CGIDFB.exe HVZ.exe File created C:\windows\SysWOW64\XYA.exe DLVJZIW.exe File created C:\windows\SysWOW64\GMGADAR.exe.bat NJCWY.exe File created C:\windows\SysWOW64\SYMTRY.exe.bat ILB.exe File opened for modification C:\windows\SysWOW64\DEFORJ.exe TED.exe File opened for modification C:\windows\SysWOW64\ZVIXIHW.exe KAZS.exe File created C:\windows\SysWOW64\WXI.exe QXASNF.exe File opened for modification C:\windows\SysWOW64\POYH.exe ALPDSE.exe File created C:\windows\SysWOW64\GMGADAR.exe NJCWY.exe File opened for modification C:\windows\SysWOW64\UJXTLPE.exe HZB.exe File created C:\windows\SysWOW64\GEZXU.exe.bat GQHI.exe File created C:\windows\SysWOW64\XZENC.exe.bat NBQ.exe File opened for modification C:\windows\SysWOW64\IPAU.exe GCVKNET.exe File opened for modification C:\windows\SysWOW64\XYA.exe DLVJZIW.exe File opened for modification C:\windows\SysWOW64\XYT.exe XFSNDDP.exe File created C:\windows\SysWOW64\GQHI.exe AQZVBEY.exe File created C:\windows\SysWOW64\GEZXU.exe GQHI.exe File created C:\windows\SysWOW64\OUINJD.exe NOIYZ.exe File created C:\windows\SysWOW64\CGIDFB.exe HVZ.exe File created C:\windows\SysWOW64\CGIDFB.exe.bat HVZ.exe File opened for modification C:\windows\SysWOW64\NOK.exe JGD.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\TVY.exe.bat SSUT.exe File created C:\windows\system\HUFRRSZ.exe UJXTLPE.exe File opened for modification C:\windows\XFSNDDP.exe PAG.exe File opened for modification C:\windows\system\TIREMJ.exe GFVFH.exe File created C:\windows\system\JGYPY.exe.bat TIREMJ.exe File created C:\windows\system\PAMD.exe.bat XRK.exe File opened for modification C:\windows\VIEZAM.exe LAC.exe File opened for modification C:\windows\GCVKNET.exe VZDH.exe File opened for modification C:\windows\UDYQTDP.exe SFKWE.exe File created C:\windows\XFSNDDP.exe PAG.exe File created C:\windows\QONCWG.exe WSIS.exe File opened for modification C:\windows\HBD.exe TVY.exe File created C:\windows\DLVJZIW.exe MAFLAOS.exe File opened for modification C:\windows\IQWH.exe XYT.exe File created C:\windows\QBEA.exe.bat IQWH.exe File created C:\windows\system\WEJGPRU.exe.bat HYD.exe File created C:\windows\system\WDAV.exe WXI.exe File created C:\windows\RMMBP.exe NWFBDEX.exe File created C:\windows\system\WDNTN.exe.bat ECLOCB.exe File created C:\windows\system\AGAXPHS.exe.bat LLQS.exe File created C:\windows\IQWH.exe XYT.exe File created C:\windows\system\TED.exe.bat JGYPY.exe File created C:\windows\system\CHU.exe GBOAWZV.exe File opened for modification C:\windows\KAZS.exe EFAJSS.exe File created C:\windows\system\YYUGXZ.exe.bat ZBJLKUZ.exe File opened for modification C:\windows\system\JAADM.exe FSU.exe File created C:\windows\system\ECLOCB.exe KHGEZ.exe File opened for modification C:\windows\system\ECLOCB.exe KHGEZ.exe File created C:\windows\system\PAMD.exe XRK.exe File created C:\windows\OGMZTRF.exe ZQL.exe File opened for modification C:\windows\OGMZTRF.exe ZQL.exe File created C:\windows\UTF.exe.bat CQBNZX.exe File created C:\windows\TJHLW.exe.bat YWC.exe File created C:\windows\system\ECLOCB.exe.bat KHGEZ.exe File created C:\windows\MMPNJJY.exe.bat YBZODGC.exe File opened for modification C:\windows\system\IPN.exe OUINJD.exe File opened for modification C:\windows\system\PAMD.exe XRK.exe File created C:\windows\system\BJTUT.exe.bat EDWXM.exe File opened for modification C:\windows\system\LLQS.exe BDO.exe File opened for modification C:\windows\system\YBZODGC.exe EOCES.exe File created C:\windows\system\QQPG.exe RXFQQ.exe File created C:\windows\TNLKKW.exe NNMW.exe File created C:\windows\VIEZAM.exe LAC.exe File created C:\windows\CQBNZX.exe MAA.exe File opened for modification C:\windows\system\FSU.exe ZRMPR.exe File created C:\windows\system\PHVUM.exe MMR.exe File created C:\windows\system\XKY.exe.bat XRPYNA.exe File created C:\windows\system\JGYPY.exe TIREMJ.exe File opened for modification C:\windows\QONCWG.exe WSIS.exe File created C:\windows\DLVJZIW.exe.bat MAFLAOS.exe File created C:\windows\system\HZB.exe FJASZBT.exe File opened for modification C:\windows\system\YYUGXZ.exe ZBJLKUZ.exe File created C:\windows\system\SJV.exe.bat BJTUT.exe File created C:\windows\OAVJPBI.exe ECIPZTZ.exe File created C:\windows\SNU.exe XZPWBNA.exe File created C:\windows\TRUVGV.exe KRS.exe File created C:\windows\UDYQTDP.exe.bat SFKWE.exe File created C:\windows\FCVLZ.exe.bat UKST.exe File created C:\windows\system\AXVJL.exe.bat XKY.exe File opened for modification C:\windows\OAVJPBI.exe ECIPZTZ.exe File opened for modification C:\windows\SSUT.exe SNU.exe File created C:\windows\system\TOZZX.exe TJHLW.exe File created C:\windows\system\ZRMPR.exe RMMBP.exe File created C:\windows\HBD.exe.bat TVY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4804 4520 WerFault.exe 83 1852 4516 WerFault.exe 91 1916 3260 WerFault.exe 97 2012 3940 WerFault.exe 103 1368 2188 WerFault.exe 108 4676 2328 WerFault.exe 115 1436 1504 WerFault.exe 121 4748 2320 WerFault.exe 127 1884 2116 WerFault.exe 132 3548 1916 WerFault.exe 137 2368 1872 WerFault.exe 143 4472 1368 WerFault.exe 148 780 1212 WerFault.exe 153 772 3684 WerFault.exe 158 4552 2432 WerFault.exe 164 3016 3860 WerFault.exe 170 4072 1496 WerFault.exe 175 3536 4128 WerFault.exe 180 1372 3344 WerFault.exe 185 1436 1072 WerFault.exe 190 5112 2064 WerFault.exe 195 1924 4208 WerFault.exe 200 4004 3588 WerFault.exe 205 4812 3420 WerFault.exe 210 2892 3316 WerFault.exe 215 4876 4868 WerFault.exe 220 3944 3552 WerFault.exe 225 412 2396 WerFault.exe 230 3824 2736 WerFault.exe 235 3100 1040 WerFault.exe 239 1560 4360 WerFault.exe 245 3448 1348 WerFault.exe 250 220 4016 WerFault.exe 255 2080 2652 WerFault.exe 260 4420 2456 WerFault.exe 265 3532 2404 WerFault.exe 270 4624 3596 WerFault.exe 275 768 2188 WerFault.exe 280 2024 2036 WerFault.exe 285 2464 4804 WerFault.exe 290 4960 4612 WerFault.exe 296 3200 3548 WerFault.exe 301 1040 1860 WerFault.exe 306 944 380 WerFault.exe 311 4976 1692 WerFault.exe 316 3692 2020 WerFault.exe 322 1612 3976 WerFault.exe 327 3972 3932 WerFault.exe 333 4368 2896 WerFault.exe 338 4868 4756 WerFault.exe 343 1752 3412 WerFault.exe 348 2564 4636 WerFault.exe 353 5076 924 WerFault.exe 357 1872 880 WerFault.exe 363 3508 1880 WerFault.exe 368 4676 2900 WerFault.exe 373 3924 4672 WerFault.exe 378 2116 3968 WerFault.exe 383 1796 1840 WerFault.exe 388 5112 468 WerFault.exe 393 3972 2212 WerFault.exe 398 1132 4624 WerFault.exe 403 3556 780 WerFault.exe 408 3772 4756 WerFault.exe 413 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ILB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HYD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YYUGXZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JRXZFHW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TNLKKW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAMD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SNU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KOAW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECLOCB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BAKJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TIREMJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TJHLW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SYMTRY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZBJLKUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QXASNF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CKVBTJF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PFN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JGD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XZENC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JMXLNO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RZHISS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TOZZX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YFSXFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FCVLZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XLPRM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZQL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ALB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JGYPY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KAZS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 4516 RXFQQ.exe 4516 RXFQQ.exe 3260 QQPG.exe 3260 QQPG.exe 3940 ILTCE.exe 3940 ILTCE.exe 2188 HISEIGS.exe 2188 HISEIGS.exe 2328 FJASZBT.exe 2328 FJASZBT.exe 1504 HZB.exe 1504 HZB.exe 2320 UJXTLPE.exe 2320 UJXTLPE.exe 2116 HUFRRSZ.exe 2116 HUFRRSZ.exe 1916 PAG.exe 1916 PAG.exe 1872 XFSNDDP.exe 1872 XFSNDDP.exe 1368 XYT.exe 1368 XYT.exe 1212 IQWH.exe 1212 IQWH.exe 3684 QBEA.exe 3684 QBEA.exe 2432 KWJSPA.exe 2432 KWJSPA.exe 3860 JKI.exe 3860 JKI.exe 1496 YFSXFQ.exe 1496 YFSXFQ.exe 4128 SAX.exe 4128 SAX.exe 3344 CYC.exe 3344 CYC.exe 1072 ILB.exe 1072 ILB.exe 2064 SYMTRY.exe 2064 SYMTRY.exe 4208 MMR.exe 4208 MMR.exe 3588 PHVUM.exe 3588 PHVUM.exe 3420 UKST.exe 3420 UKST.exe 3316 FCVLZ.exe 3316 FCVLZ.exe 4868 AQZVBEY.exe 4868 AQZVBEY.exe 3552 GQHI.exe 3552 GQHI.exe 2396 GEZXU.exe 2396 GEZXU.exe 2736 NOIYZ.exe 2736 NOIYZ.exe 1040 OUINJD.exe 1040 OUINJD.exe 4360 IPN.exe 4360 IPN.exe 1348 FMLL.exe 1348 FMLL.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 4516 RXFQQ.exe 4516 RXFQQ.exe 3260 QQPG.exe 3260 QQPG.exe 3940 ILTCE.exe 3940 ILTCE.exe 2188 HISEIGS.exe 2188 HISEIGS.exe 2328 FJASZBT.exe 2328 FJASZBT.exe 1504 HZB.exe 1504 HZB.exe 2320 UJXTLPE.exe 2320 UJXTLPE.exe 2116 HUFRRSZ.exe 2116 HUFRRSZ.exe 1916 PAG.exe 1916 PAG.exe 1872 XFSNDDP.exe 1872 XFSNDDP.exe 1368 XYT.exe 1368 XYT.exe 1212 IQWH.exe 1212 IQWH.exe 3684 QBEA.exe 3684 QBEA.exe 2432 KWJSPA.exe 2432 KWJSPA.exe 3860 JKI.exe 3860 JKI.exe 1496 YFSXFQ.exe 1496 YFSXFQ.exe 4128 SAX.exe 4128 SAX.exe 3344 CYC.exe 3344 CYC.exe 1072 ILB.exe 1072 ILB.exe 2064 SYMTRY.exe 2064 SYMTRY.exe 4208 MMR.exe 4208 MMR.exe 3588 PHVUM.exe 3588 PHVUM.exe 3420 UKST.exe 3420 UKST.exe 3316 FCVLZ.exe 3316 FCVLZ.exe 4868 AQZVBEY.exe 4868 AQZVBEY.exe 3552 GQHI.exe 3552 GQHI.exe 2396 GEZXU.exe 2396 GEZXU.exe 2736 NOIYZ.exe 2736 NOIYZ.exe 1040 OUINJD.exe 1040 OUINJD.exe 4360 IPN.exe 4360 IPN.exe 1348 FMLL.exe 1348 FMLL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4520 wrote to memory of 1880 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 87 PID 4520 wrote to memory of 1880 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 87 PID 4520 wrote to memory of 1880 4520 a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe 87 PID 1880 wrote to memory of 4516 1880 cmd.exe 91 PID 1880 wrote to memory of 4516 1880 cmd.exe 91 PID 1880 wrote to memory of 4516 1880 cmd.exe 91 PID 4516 wrote to memory of 436 4516 RXFQQ.exe 93 PID 4516 wrote to memory of 436 4516 RXFQQ.exe 93 PID 4516 wrote to memory of 436 4516 RXFQQ.exe 93 PID 436 wrote to memory of 3260 436 cmd.exe 97 PID 436 wrote to memory of 3260 436 cmd.exe 97 PID 436 wrote to memory of 3260 436 cmd.exe 97 PID 3260 wrote to memory of 2064 3260 QQPG.exe 99 PID 3260 wrote to memory of 2064 3260 QQPG.exe 99 PID 3260 wrote to memory of 2064 3260 QQPG.exe 99 PID 2064 wrote to memory of 3940 2064 cmd.exe 103 PID 2064 wrote to memory of 3940 2064 cmd.exe 103 PID 2064 wrote to memory of 3940 2064 cmd.exe 103 PID 3940 wrote to memory of 4632 3940 ILTCE.exe 104 PID 3940 wrote to memory of 4632 3940 ILTCE.exe 104 PID 3940 wrote to memory of 4632 3940 ILTCE.exe 104 PID 4632 wrote to memory of 2188 4632 cmd.exe 108 PID 4632 wrote to memory of 2188 4632 cmd.exe 108 PID 4632 wrote to memory of 2188 4632 cmd.exe 108 PID 2188 wrote to memory of 4148 2188 HISEIGS.exe 111 PID 2188 wrote to memory of 4148 2188 HISEIGS.exe 111 PID 2188 wrote to memory of 4148 2188 HISEIGS.exe 111 PID 4148 wrote to memory of 2328 4148 cmd.exe 115 PID 4148 wrote to memory of 2328 4148 cmd.exe 115 PID 4148 wrote to memory of 2328 4148 cmd.exe 115 PID 2328 wrote to memory of 4888 2328 FJASZBT.exe 116 PID 2328 wrote to memory of 4888 2328 FJASZBT.exe 116 PID 2328 wrote to memory of 4888 2328 FJASZBT.exe 116 PID 4888 wrote to memory of 1504 4888 cmd.exe 121 PID 4888 wrote to memory of 1504 4888 cmd.exe 121 PID 4888 wrote to memory of 1504 4888 cmd.exe 121 PID 1504 wrote to memory of 4612 1504 HZB.exe 123 PID 1504 wrote to memory of 4612 1504 HZB.exe 123 PID 1504 wrote to memory of 4612 1504 HZB.exe 123 PID 4612 wrote to memory of 2320 4612 cmd.exe 127 PID 4612 wrote to memory of 2320 4612 cmd.exe 127 PID 4612 wrote to memory of 2320 4612 cmd.exe 127 PID 2320 wrote to memory of 4788 2320 UJXTLPE.exe 128 PID 2320 wrote to memory of 4788 2320 UJXTLPE.exe 128 PID 2320 wrote to memory of 4788 2320 UJXTLPE.exe 128 PID 4788 wrote to memory of 2116 4788 cmd.exe 132 PID 4788 wrote to memory of 2116 4788 cmd.exe 132 PID 4788 wrote to memory of 2116 4788 cmd.exe 132 PID 2116 wrote to memory of 5112 2116 HUFRRSZ.exe 133 PID 2116 wrote to memory of 5112 2116 HUFRRSZ.exe 133 PID 2116 wrote to memory of 5112 2116 HUFRRSZ.exe 133 PID 5112 wrote to memory of 1916 5112 cmd.exe 137 PID 5112 wrote to memory of 1916 5112 cmd.exe 137 PID 5112 wrote to memory of 1916 5112 cmd.exe 137 PID 1916 wrote to memory of 3976 1916 PAG.exe 139 PID 1916 wrote to memory of 3976 1916 PAG.exe 139 PID 1916 wrote to memory of 3976 1916 PAG.exe 139 PID 3976 wrote to memory of 1872 3976 cmd.exe 143 PID 3976 wrote to memory of 1872 3976 cmd.exe 143 PID 3976 wrote to memory of 1872 3976 cmd.exe 143 PID 1872 wrote to memory of 4148 1872 XFSNDDP.exe 144 PID 1872 wrote to memory of 4148 1872 XFSNDDP.exe 144 PID 1872 wrote to memory of 4148 1872 XFSNDDP.exe 144 PID 4148 wrote to memory of 1368 4148 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe"C:\Users\Admin\AppData\Local\Temp\a129e4d84de45a77c529c1b8f3fa6daedaf2c4dc21230ce080b1f92d74c6ba5bN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RXFQQ.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\windows\RXFQQ.exeC:\windows\RXFQQ.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QQPG.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\windows\system\QQPG.exeC:\windows\system\QQPG.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ILTCE.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\windows\ILTCE.exeC:\windows\ILTCE.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HISEIGS.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\windows\system\HISEIGS.exeC:\windows\system\HISEIGS.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJASZBT.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\windows\SysWOW64\FJASZBT.exeC:\windows\system32\FJASZBT.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HZB.exe.bat" "12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\windows\system\HZB.exeC:\windows\system\HZB.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJXTLPE.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\windows\SysWOW64\UJXTLPE.exeC:\windows\system32\UJXTLPE.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HUFRRSZ.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\windows\system\HUFRRSZ.exeC:\windows\system\HUFRRSZ.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PAG.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\windows\system\PAG.exeC:\windows\system\PAG.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XFSNDDP.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\windows\XFSNDDP.exeC:\windows\XFSNDDP.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYT.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\windows\SysWOW64\XYT.exeC:\windows\system32\XYT.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IQWH.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\windows\IQWH.exeC:\windows\IQWH.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QBEA.exe.bat" "26⤵PID:680
-
C:\windows\QBEA.exeC:\windows\QBEA.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KWJSPA.exe.bat" "28⤵
- System Location Discovery: System Language Discovery
PID:4924 -
C:\windows\KWJSPA.exeC:\windows\KWJSPA.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKI.exe.bat" "30⤵PID:2144
-
C:\windows\JKI.exeC:\windows\JKI.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YFSXFQ.exe.bat" "32⤵PID:2844
-
C:\windows\YFSXFQ.exeC:\windows\YFSXFQ.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SAX.exe.bat" "34⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\windows\SysWOW64\SAX.exeC:\windows\system32\SAX.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CYC.exe.bat" "36⤵PID:4256
-
C:\windows\system\CYC.exeC:\windows\system\CYC.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ILB.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\windows\system\ILB.exeC:\windows\system\ILB.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYMTRY.exe.bat" "40⤵PID:1304
-
C:\windows\SysWOW64\SYMTRY.exeC:\windows\system32\SYMTRY.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMR.exe.bat" "42⤵PID:3108
-
C:\windows\SysWOW64\MMR.exeC:\windows\system32\MMR.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PHVUM.exe.bat" "44⤵PID:3972
-
C:\windows\system\PHVUM.exeC:\windows\system\PHVUM.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UKST.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\windows\SysWOW64\UKST.exeC:\windows\system32\UKST.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FCVLZ.exe.bat" "48⤵PID:512
-
C:\windows\FCVLZ.exeC:\windows\FCVLZ.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AQZVBEY.exe.bat" "50⤵PID:2792
-
C:\windows\SysWOW64\AQZVBEY.exeC:\windows\system32\AQZVBEY.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GQHI.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:372 -
C:\windows\SysWOW64\GQHI.exeC:\windows\system32\GQHI.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GEZXU.exe.bat" "54⤵PID:3764
-
C:\windows\SysWOW64\GEZXU.exeC:\windows\system32\GEZXU.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOIYZ.exe.bat" "56⤵PID:3584
-
C:\windows\SysWOW64\NOIYZ.exeC:\windows\system32\NOIYZ.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OUINJD.exe.bat" "58⤵PID:5100
-
C:\windows\SysWOW64\OUINJD.exeC:\windows\system32\OUINJD.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IPN.exe.bat" "60⤵
- System Location Discovery: System Language Discovery
PID:4004 -
C:\windows\system\IPN.exeC:\windows\system\IPN.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FMLL.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\windows\system\FMLL.exeC:\windows\system\FMLL.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KNSZJGD.exe.bat" "64⤵PID:4888
-
C:\windows\SysWOW64\KNSZJGD.exeC:\windows\system32\KNSZJGD.exe65⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JGD.exe.bat" "66⤵PID:816
-
C:\windows\system\JGD.exeC:\windows\system\JGD.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOK.exe.bat" "68⤵PID:4664
-
C:\windows\SysWOW64\NOK.exeC:\windows\system32\NOK.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLPRM.exe.bat" "70⤵PID:3548
-
C:\windows\SysWOW64\XLPRM.exeC:\windows\system32\XLPRM.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRPYNA.exe.bat" "72⤵PID:3112
-
C:\windows\XRPYNA.exeC:\windows\XRPYNA.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XKY.exe.bat" "74⤵PID:380
-
C:\windows\system\XKY.exeC:\windows\system\XKY.exe75⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AXVJL.exe.bat" "76⤵PID:3432
-
C:\windows\system\AXVJL.exeC:\windows\system\AXVJL.exe77⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SAHMRCE.exe.bat" "78⤵PID:4784
-
C:\windows\SysWOW64\SAHMRCE.exeC:\windows\system32\SAHMRCE.exe79⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NNMW.exe.bat" "80⤵PID:4444
-
C:\windows\system\NNMW.exeC:\windows\system\NNMW.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TNLKKW.exe.bat" "82⤵PID:2212
-
C:\windows\TNLKKW.exeC:\windows\TNLKKW.exe83⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "84⤵PID:320
-
C:\windows\SysWOW64\NBQ.exeC:\windows\system32\NBQ.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZENC.exe.bat" "86⤵PID:2500
-
C:\windows\SysWOW64\XZENC.exeC:\windows\system32\XZENC.exe87⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IRZGKM.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\windows\IRZGKM.exeC:\windows\IRZGKM.exe89⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXHSM.exe.bat" "90⤵PID:1348
-
C:\windows\WXHSM.exeC:\windows\WXHSM.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CXOFVZK.exe.bat" "92⤵PID:1296
-
C:\windows\SysWOW64\CXOFVZK.exeC:\windows\system32\CXOFVZK.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFVFH.exe.bat" "94⤵PID:3584
-
C:\windows\SysWOW64\GFVFH.exeC:\windows\system32\GFVFH.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TIREMJ.exe.bat" "96⤵PID:4928
-
C:\windows\system\TIREMJ.exeC:\windows\system\TIREMJ.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JGYPY.exe.bat" "98⤵PID:2500
-
C:\windows\system\JGYPY.exeC:\windows\system\JGYPY.exe99⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TED.exe.bat" "100⤵PID:2740
-
C:\windows\system\TED.exeC:\windows\system\TED.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DEFORJ.exe.bat" "102⤵PID:1504
-
C:\windows\SysWOW64\DEFORJ.exeC:\windows\system32\DEFORJ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRK.exe.bat" "104⤵PID:3552
-
C:\windows\XRK.exeC:\windows\XRK.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PAMD.exe.bat" "106⤵
- System Location Discovery: System Language Discovery
PID:3424 -
C:\windows\system\PAMD.exeC:\windows\system\PAMD.exe107⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CKVBTJF.exe.bat" "108⤵
- System Location Discovery: System Language Discovery
PID:3740 -
C:\windows\system\CKVBTJF.exeC:\windows\system\CKVBTJF.exe109⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RAWTRE.exe.bat" "110⤵PID:2312
-
C:\windows\system\RAWTRE.exeC:\windows\system\RAWTRE.exe111⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KVZWFUD.exe.bat" "112⤵PID:1564
-
C:\windows\KVZWFUD.exeC:\windows\KVZWFUD.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XGQVLFY.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\windows\SysWOW64\XGQVLFY.exeC:\windows\system32\XGQVLFY.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HEVHB.exe.bat" "116⤵PID:4784
-
C:\windows\SysWOW64\HEVHB.exeC:\windows\system32\HEVHB.exe117⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EKBFIXJ.exe.bat" "118⤵PID:2524
-
C:\windows\SysWOW64\EKBFIXJ.exeC:\windows\system32\EKBFIXJ.exe119⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JMXLNO.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\windows\system\JMXLNO.exeC:\windows\system\JMXLNO.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-