Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe
-
Size
208KB
-
MD5
055ec5cf1c55ba392c43ee2ef772cf30
-
SHA1
a205132a89d5cfc0c6dc6c17d31dc2273a3f7503
-
SHA256
0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61b
-
SHA512
1c01d8cbd71df0b48521affb97db68800477c01ca06743866dd91db311248e8eed365e0e438a4e07d93824d74a518a2e55fa33f27c9c4837c78387aeae3d2bce
-
SSDEEP
3072:7MBIT2UDUZ6AIps1kpJhODQCtMaAaafCyHkLRvJ4NLthEjQT6c:73Ty+lyQfC1QEj+
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DQGOU.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ZKTSI.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation AHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation NCJB.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation MMKOBFN.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation OIHPMPP.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DDGA.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation GQLJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation NXJNB.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SURHCS.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ZPG.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RXFQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DBHNC.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation QYDGXX.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation BHDDE.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SSUT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RYRC.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation KKE.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation RCJC.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation KHJGPDX.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation XEJVMU.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation AUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation YBZJKF.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation QZKOK.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation QFK.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation SLYNB.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation QWRI.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation OIQRD.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation PSLDWQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DOUA.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation KTD.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation YWIN.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation OYW.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation OCPC.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation LBCKAK.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ABZUN.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation TGFRG.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation BXNVMYU.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation VWD.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation TJKUTRJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation LWMLX.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation NGZDXZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation YEZT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation FHP.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation AGVZIV.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation PZXGV.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation KBVOZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation UEUWIF.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation FUCCET.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation MBKI.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CUEVQD.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation XQGLV.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation KQE.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ZIMU.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation POAKVE.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation WRGS.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ATXC.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation GHRN.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation FSLSTKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation LCR.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation DSICD.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation FBFPV.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation HEX.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation QKCQVKX.exe -
Executes dropped EXE 64 IoCs
pid Process 4140 KQE.exe 3012 MOKHWZY.exe 3820 ORTOGNA.exe 2024 PUXS.exe 4504 PZXGV.exe 4400 PDBC.exe 2396 ZIMU.exe 4584 KAPNZS.exe 828 EWLWJRY.exe 860 UEUWIF.exe 5076 OZZ.exe 5044 WKA.exe 4548 RXFQQ.exe 4408 JAI.exe 3688 VSL.exe 884 RYRC.exe 2988 FBN.exe 2788 KBVOZJ.exe 4004 FWA.exe 3484 CUGU.exe 1116 CIYJS.exe 4628 WVDSCGC.exe 1540 LQMEV.exe 756 LWMLX.exe 1532 GRRCZFC.exe 4232 VMAHS.exe 3140 DRBVTF.exe 2700 FUCCET.exe 3724 VKJNQ.exe 3592 FSLSTKQ.exe 3376 LTTG.exe 3344 OBNOOLN.exe 4472 YJPTRJ.exe 3444 CRV.exe 1480 KKE.exe 2464 XMAB.exe 3484 RAFKYW.exe 3724 MVK.exe 3592 MBKI.exe 916 DOUA.exe 4976 YBZJKF.exe 860 KPSB.exe 372 HUPYSD.exe 2748 QURDWBV.exe 832 HICVM.exe 4068 TAFOUF.exe 4100 PGLDBP.exe 4888 AYGWJWQ.exe 3652 AJOXXIX.exe 1100 LCR.exe 1560 LHJE.exe 1668 BCBJSPP.exe 3768 DAU.exe 4160 KTD.exe 3876 FGIOO.exe 3656 QYDGXX.exe 1852 DBHNC.exe 1832 PUCYCW.exe 2276 JPG.exe 4396 SURHCS.exe 4492 ENUSKIS.exe 3768 PGX.exe 1604 ODW.exe 2596 TED.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\JAI.exe RXFQQ.exe File created C:\windows\SysWOW64\WVDSCGC.exe.bat CIYJS.exe File created C:\windows\SysWOW64\LHJE.exe.bat LCR.exe File opened for modification C:\windows\SysWOW64\FGIOO.exe KTD.exe File opened for modification C:\windows\SysWOW64\QZKOK.exe QPJNW.exe File created C:\windows\SysWOW64\BCF.exe.bat QKCQVKX.exe File created C:\windows\SysWOW64\EASUC.exe SHPB.exe File created C:\windows\SysWOW64\EWLWJRY.exe.bat KAPNZS.exe File created C:\windows\SysWOW64\RAFKYW.exe.bat XMAB.exe File opened for modification C:\windows\SysWOW64\KTD.exe DAU.exe File created C:\windows\SysWOW64\ODW.exe PGX.exe File created C:\windows\SysWOW64\OCPC.exe GKPJ.exe File opened for modification C:\windows\SysWOW64\FHP.exe QBJX.exe File created C:\windows\SysWOW64\ZPG.exe.bat MMKOBFN.exe File created C:\windows\SysWOW64\FSLSTKQ.exe VKJNQ.exe File created C:\windows\SysWOW64\GQLJ.exe.bat MVGAUAZ.exe File created C:\windows\SysWOW64\JLV.exe.bat ZKTSI.exe File opened for modification C:\windows\SysWOW64\CUGU.exe FWA.exe File created C:\windows\SysWOW64\VZFGO.exe.bat PYYSX.exe File created C:\windows\SysWOW64\ZPQYHJI.exe IPOLEE.exe File opened for modification C:\windows\SysWOW64\ANMXUJ.exe RNSSR.exe File opened for modification C:\windows\SysWOW64\KAPNZS.exe ZIMU.exe File created C:\windows\SysWOW64\QZKOK.exe QPJNW.exe File created C:\windows\SysWOW64\ZPQYHJI.exe.bat IPOLEE.exe File created C:\windows\SysWOW64\PSLDWQ.exe.bat JFTCA.exe File created C:\windows\SysWOW64\CQEM.exe.bat ZDZCZUW.exe File created C:\windows\SysWOW64\HUPYSD.exe.bat KPSB.exe File created C:\windows\SysWOW64\LCR.exe AJOXXIX.exe File created C:\windows\SysWOW64\KTD.exe.bat DAU.exe File created C:\windows\SysWOW64\JPG.exe.bat PUCYCW.exe File opened for modification C:\windows\SysWOW64\WVDSCGC.exe CIYJS.exe File created C:\windows\SysWOW64\BCF.exe QKCQVKX.exe File created C:\windows\SysWOW64\KAPNZS.exe ZIMU.exe File opened for modification C:\windows\SysWOW64\LHJE.exe LCR.exe File created C:\windows\SysWOW64\TJKUTRJ.exe.bat SGG.exe File created C:\windows\SysWOW64\RAFKYW.exe XMAB.exe File opened for modification C:\windows\SysWOW64\ODW.exe PGX.exe File opened for modification C:\windows\SysWOW64\SHPB.exe BCF.exe File created C:\windows\SysWOW64\EASUC.exe.bat SHPB.exe File created C:\windows\SysWOW64\VHSGMPF.exe.bat QHTSCVD.exe File created C:\windows\SysWOW64\CQEM.exe ZDZCZUW.exe File opened for modification C:\windows\SysWOW64\OIHPMPP.exe OYYNGKJ.exe File opened for modification C:\windows\SysWOW64\KPSB.exe YBZJKF.exe File created C:\windows\SysWOW64\FWGC.exe.bat TED.exe File created C:\windows\SysWOW64\VKJNQ.exe.bat FUCCET.exe File opened for modification C:\windows\SysWOW64\KQE.exe 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe File opened for modification C:\windows\SysWOW64\EWLWJRY.exe KAPNZS.exe File created C:\windows\SysWOW64\DBHNC.exe.bat QYDGXX.exe File created C:\windows\SysWOW64\SHPB.exe.bat BCF.exe File opened for modification C:\windows\SysWOW64\EASUC.exe SHPB.exe File created C:\windows\SysWOW64\KQE.exe 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe File created C:\windows\SysWOW64\ISOXLLV.exe.bat NXJNB.exe File created C:\windows\SysWOW64\SHPB.exe BCF.exe File opened for modification C:\windows\SysWOW64\OCPC.exe GKPJ.exe File opened for modification C:\windows\SysWOW64\JLV.exe ZKTSI.exe File created C:\windows\SysWOW64\RVZSGNO.exe WIUIE.exe File created C:\windows\SysWOW64\LCR.exe.bat AJOXXIX.exe File created C:\windows\SysWOW64\FWGC.exe TED.exe File opened for modification C:\windows\SysWOW64\CCHXGJ.exe HOCO.exe File created C:\windows\SysWOW64\FSLSTKQ.exe.bat VKJNQ.exe File created C:\windows\SysWOW64\KTD.exe DAU.exe File opened for modification C:\windows\SysWOW64\GQLJ.exe MVGAUAZ.exe File opened for modification C:\windows\SysWOW64\ZPQYHJI.exe IPOLEE.exe File created C:\windows\SysWOW64\JLV.exe ZKTSI.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\RYRC.exe.bat VSL.exe File created C:\windows\system\YJPTRJ.exe.bat OBNOOLN.exe File created C:\windows\system\KHF.exe BHDDE.exe File opened for modification C:\windows\system\GKPJ.exe NPPF.exe File opened for modification C:\windows\PUXS.exe ORTOGNA.exe File created C:\windows\system\PDBC.exe.bat PZXGV.exe File created C:\windows\system\BXNVMYU.exe.bat QFK.exe File created C:\windows\TIZ.exe.bat PSLDWQ.exe File opened for modification C:\windows\system\XQGLV.exe TIZ.exe File created C:\windows\system\ZIMU.exe.bat PDBC.exe File created C:\windows\system\DRBVTF.exe.bat VMAHS.exe File opened for modification C:\windows\AJOXXIX.exe AYGWJWQ.exe File opened for modification C:\windows\SGG.exe NGZDXZ.exe File created C:\windows\system\ZKTSI.exe.bat KHJGPDX.exe File opened for modification C:\windows\FUCCET.exe DRBVTF.exe File created C:\windows\QYOLNQQ.exe.bat ISOXLLV.exe File opened for modification C:\windows\system\NGZDXZ.exe SSUT.exe File opened for modification C:\windows\system\MBKI.exe MVK.exe File created C:\windows\system\TED.exe ODW.exe File created C:\windows\system\JSQQMFK.exe.bat DSICD.exe File created C:\windows\system\ZIMU.exe PDBC.exe File opened for modification C:\windows\VSL.exe JAI.exe File created C:\windows\system\CRV.exe YJPTRJ.exe File opened for modification C:\windows\system\PYYSX.exe EGVZ.exe File created C:\windows\system\QHTSCVD.exe.bat GHRN.exe File created C:\windows\XFWHPB.exe VHUFI.exe File created C:\windows\PZXGV.exe PUXS.exe File created C:\windows\OBNOOLN.exe.bat LTTG.exe File created C:\windows\system\XVVBUFK.exe.bat GQLJ.exe File created C:\windows\system\HZGRCJ.exe FBFPV.exe File created C:\windows\system\HZGRCJ.exe.bat FBFPV.exe File opened for modification C:\windows\RXFQQ.exe WKA.exe File created C:\windows\LQMEV.exe WVDSCGC.exe File created C:\windows\system\GKPJ.exe.bat NPPF.exe File created C:\windows\WRGS.exe FHP.exe File created C:\windows\RNSSR.exe PPRQ.exe File created C:\windows\system\AHJ.exe UGCMZT.exe File opened for modification C:\windows\ICO.exe CCHXGJ.exe File created C:\windows\system\QYDGXX.exe.bat FGIOO.exe File created C:\windows\HEX.exe.bat XVVBUFK.exe File opened for modification C:\windows\system\LBCKAK.exe XQGLV.exe File created C:\windows\system\YVXDEDE.exe.bat EASUC.exe File created C:\windows\CML.exe HZGRCJ.exe File created C:\windows\LTTG.exe FSLSTKQ.exe File created C:\windows\system\MBKI.exe MVK.exe File created C:\windows\system\MVGAUAZ.exe CUEVQD.exe File created C:\windows\GHRN.exe AHJ.exe File created C:\windows\DQGOU.exe DDGA.exe File created C:\windows\OYW.exe.bat QYOLNQQ.exe File created C:\windows\AGVZIV.exe.bat ANMXUJ.exe File created C:\windows\system\UGCMZT.exe.bat ATXC.exe File created C:\windows\system\PGLDBP.exe.bat TAFOUF.exe File created C:\windows\system\TED.exe.bat ODW.exe File created C:\windows\SGG.exe.bat NGZDXZ.exe File created C:\windows\system\MOKHWZY.exe KQE.exe File created C:\windows\CIYJS.exe.bat CUGU.exe File created C:\windows\system\TAFOUF.exe HICVM.exe File opened for modification C:\windows\system\ENUSKIS.exe SURHCS.exe File opened for modification C:\windows\system\KHF.exe BHDDE.exe File created C:\windows\YEZT.exe.bat HEX.exe File opened for modification C:\windows\system\POAKVE.exe QWRI.exe File created C:\windows\JFTCA.exe.bat CML.exe File opened for modification C:\windows\system\PPRQ.exe WRGS.exe File created C:\windows\system\UGCMZT.exe ATXC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 4068 1932 WerFault.exe 81 4004 4140 WerFault.exe 86 3884 3012 WerFault.exe 92 3388 3820 WerFault.exe 97 3144 2024 WerFault.exe 102 1716 4504 WerFault.exe 107 1416 4400 WerFault.exe 112 220 2396 WerFault.exe 117 1108 4584 WerFault.exe 121 4184 828 WerFault.exe 127 1512 860 WerFault.exe 132 2176 5076 WerFault.exe 137 2700 5044 WerFault.exe 142 3252 4548 WerFault.exe 147 3032 4408 WerFault.exe 153 4496 3688 WerFault.exe 160 4608 884 WerFault.exe 166 4788 2988 WerFault.exe 171 3668 2788 WerFault.exe 176 4540 4004 WerFault.exe 181 1288 3484 WerFault.exe 187 1464 1116 WerFault.exe 192 3112 4628 WerFault.exe 197 2836 1540 WerFault.exe 202 2912 756 WerFault.exe 209 3784 1532 WerFault.exe 214 3652 4232 WerFault.exe 219 4528 3140 WerFault.exe 224 2056 2700 WerFault.exe 228 2960 3724 WerFault.exe 234 2604 3592 WerFault.exe 239 1604 3376 WerFault.exe 244 636 3344 WerFault.exe 249 668 4472 WerFault.exe 254 2300 3444 WerFault.exe 259 3820 1480 WerFault.exe 264 1820 2464 WerFault.exe 269 4696 3484 WerFault.exe 274 3792 3724 WerFault.exe 279 1604 3592 WerFault.exe 284 3868 916 WerFault.exe 289 3120 4976 WerFault.exe 295 4412 860 WerFault.exe 300 4548 372 WerFault.exe 305 3108 2748 WerFault.exe 310 2944 832 WerFault.exe 316 4092 4068 WerFault.exe 321 3684 4100 WerFault.exe 325 3416 4888 WerFault.exe 331 2956 3652 WerFault.exe 336 1480 1100 WerFault.exe 341 5044 1560 WerFault.exe 346 3252 1668 WerFault.exe 351 832 3768 WerFault.exe 356 2716 4160 WerFault.exe 361 4920 3876 WerFault.exe 366 4888 3656 WerFault.exe 371 1700 1852 WerFault.exe 376 3420 1832 WerFault.exe 381 2612 2276 WerFault.exe 386 2068 4396 WerFault.exe 391 640 4492 WerFault.exe 396 1540 3768 WerFault.exe 401 2460 1604 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OYYNGKJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VWD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZPG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCBJSPP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MMKOBFN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OBNOOLN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FGIOO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FWGC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVZSGNO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JFTCA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BDSPQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZIMU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SKNEZM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FRHGVC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JSQQMFK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VMAHS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ISOXLLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CML.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UGCMZT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PDBC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MVGAUAZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GKPJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EGVZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QYOLNQQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QBJX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GQLJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OWPE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SSA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XQGLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VSL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QFK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KAPNZS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HUPYSD.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 4140 KQE.exe 4140 KQE.exe 3012 MOKHWZY.exe 3012 MOKHWZY.exe 3820 ORTOGNA.exe 3820 ORTOGNA.exe 2024 PUXS.exe 2024 PUXS.exe 4504 PZXGV.exe 4504 PZXGV.exe 4400 PDBC.exe 4400 PDBC.exe 2396 ZIMU.exe 2396 ZIMU.exe 4584 KAPNZS.exe 4584 KAPNZS.exe 828 EWLWJRY.exe 828 EWLWJRY.exe 860 UEUWIF.exe 860 UEUWIF.exe 5076 OZZ.exe 5076 OZZ.exe 5044 WKA.exe 5044 WKA.exe 4548 RXFQQ.exe 4548 RXFQQ.exe 4408 JAI.exe 4408 JAI.exe 3688 VSL.exe 3688 VSL.exe 884 RYRC.exe 884 RYRC.exe 2988 FBN.exe 2988 FBN.exe 2788 KBVOZJ.exe 2788 KBVOZJ.exe 4004 FWA.exe 4004 FWA.exe 3484 CUGU.exe 3484 CUGU.exe 1116 CIYJS.exe 1116 CIYJS.exe 4628 WVDSCGC.exe 4628 WVDSCGC.exe 1540 LQMEV.exe 1540 LQMEV.exe 756 LWMLX.exe 756 LWMLX.exe 1532 GRRCZFC.exe 1532 GRRCZFC.exe 4232 VMAHS.exe 4232 VMAHS.exe 3140 DRBVTF.exe 3140 DRBVTF.exe 2700 FUCCET.exe 2700 FUCCET.exe 3724 VKJNQ.exe 3724 VKJNQ.exe 3592 FSLSTKQ.exe 3592 FSLSTKQ.exe 3376 LTTG.exe 3376 LTTG.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 4140 KQE.exe 4140 KQE.exe 3012 MOKHWZY.exe 3012 MOKHWZY.exe 3820 ORTOGNA.exe 3820 ORTOGNA.exe 2024 PUXS.exe 2024 PUXS.exe 4504 PZXGV.exe 4504 PZXGV.exe 4400 PDBC.exe 4400 PDBC.exe 2396 ZIMU.exe 2396 ZIMU.exe 4584 KAPNZS.exe 4584 KAPNZS.exe 828 EWLWJRY.exe 828 EWLWJRY.exe 860 UEUWIF.exe 860 UEUWIF.exe 5076 OZZ.exe 5076 OZZ.exe 5044 WKA.exe 5044 WKA.exe 4548 RXFQQ.exe 4548 RXFQQ.exe 4408 JAI.exe 4408 JAI.exe 3688 VSL.exe 3688 VSL.exe 884 RYRC.exe 884 RYRC.exe 2988 FBN.exe 2988 FBN.exe 2788 KBVOZJ.exe 2788 KBVOZJ.exe 4004 FWA.exe 4004 FWA.exe 3484 CUGU.exe 3484 CUGU.exe 1116 CIYJS.exe 1116 CIYJS.exe 4628 WVDSCGC.exe 4628 WVDSCGC.exe 1540 LQMEV.exe 1540 LQMEV.exe 756 LWMLX.exe 756 LWMLX.exe 1532 GRRCZFC.exe 1532 GRRCZFC.exe 4232 VMAHS.exe 4232 VMAHS.exe 3140 DRBVTF.exe 3140 DRBVTF.exe 2700 FUCCET.exe 2700 FUCCET.exe 3724 VKJNQ.exe 3724 VKJNQ.exe 3592 FSLSTKQ.exe 3592 FSLSTKQ.exe 3376 LTTG.exe 3376 LTTG.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 3940 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 82 PID 1932 wrote to memory of 3940 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 82 PID 1932 wrote to memory of 3940 1932 0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe 82 PID 3940 wrote to memory of 4140 3940 cmd.exe 86 PID 3940 wrote to memory of 4140 3940 cmd.exe 86 PID 3940 wrote to memory of 4140 3940 cmd.exe 86 PID 4140 wrote to memory of 4920 4140 KQE.exe 88 PID 4140 wrote to memory of 4920 4140 KQE.exe 88 PID 4140 wrote to memory of 4920 4140 KQE.exe 88 PID 4920 wrote to memory of 3012 4920 cmd.exe 92 PID 4920 wrote to memory of 3012 4920 cmd.exe 92 PID 4920 wrote to memory of 3012 4920 cmd.exe 92 PID 3012 wrote to memory of 1644 3012 MOKHWZY.exe 93 PID 3012 wrote to memory of 1644 3012 MOKHWZY.exe 93 PID 3012 wrote to memory of 1644 3012 MOKHWZY.exe 93 PID 1644 wrote to memory of 3820 1644 cmd.exe 97 PID 1644 wrote to memory of 3820 1644 cmd.exe 97 PID 1644 wrote to memory of 3820 1644 cmd.exe 97 PID 3820 wrote to memory of 668 3820 ORTOGNA.exe 98 PID 3820 wrote to memory of 668 3820 ORTOGNA.exe 98 PID 3820 wrote to memory of 668 3820 ORTOGNA.exe 98 PID 668 wrote to memory of 2024 668 cmd.exe 102 PID 668 wrote to memory of 2024 668 cmd.exe 102 PID 668 wrote to memory of 2024 668 cmd.exe 102 PID 2024 wrote to memory of 1700 2024 PUXS.exe 103 PID 2024 wrote to memory of 1700 2024 PUXS.exe 103 PID 2024 wrote to memory of 1700 2024 PUXS.exe 103 PID 1700 wrote to memory of 4504 1700 cmd.exe 107 PID 1700 wrote to memory of 4504 1700 cmd.exe 107 PID 1700 wrote to memory of 4504 1700 cmd.exe 107 PID 4504 wrote to memory of 3216 4504 PZXGV.exe 108 PID 4504 wrote to memory of 3216 4504 PZXGV.exe 108 PID 4504 wrote to memory of 3216 4504 PZXGV.exe 108 PID 3216 wrote to memory of 4400 3216 cmd.exe 112 PID 3216 wrote to memory of 4400 3216 cmd.exe 112 PID 3216 wrote to memory of 4400 3216 cmd.exe 112 PID 4400 wrote to memory of 3976 4400 PDBC.exe 113 PID 4400 wrote to memory of 3976 4400 PDBC.exe 113 PID 4400 wrote to memory of 3976 4400 PDBC.exe 113 PID 3976 wrote to memory of 2396 3976 cmd.exe 117 PID 3976 wrote to memory of 2396 3976 cmd.exe 117 PID 3976 wrote to memory of 2396 3976 cmd.exe 117 PID 2396 wrote to memory of 2268 2396 ZIMU.exe 118 PID 2396 wrote to memory of 2268 2396 ZIMU.exe 118 PID 2396 wrote to memory of 2268 2396 ZIMU.exe 118 PID 2268 wrote to memory of 4584 2268 cmd.exe 121 PID 2268 wrote to memory of 4584 2268 cmd.exe 121 PID 2268 wrote to memory of 4584 2268 cmd.exe 121 PID 4584 wrote to memory of 4440 4584 KAPNZS.exe 123 PID 4584 wrote to memory of 4440 4584 KAPNZS.exe 123 PID 4584 wrote to memory of 4440 4584 KAPNZS.exe 123 PID 4440 wrote to memory of 828 4440 cmd.exe 127 PID 4440 wrote to memory of 828 4440 cmd.exe 127 PID 4440 wrote to memory of 828 4440 cmd.exe 127 PID 828 wrote to memory of 2676 828 EWLWJRY.exe 128 PID 828 wrote to memory of 2676 828 EWLWJRY.exe 128 PID 828 wrote to memory of 2676 828 EWLWJRY.exe 128 PID 2676 wrote to memory of 860 2676 cmd.exe 132 PID 2676 wrote to memory of 860 2676 cmd.exe 132 PID 2676 wrote to memory of 860 2676 cmd.exe 132 PID 860 wrote to memory of 3444 860 UEUWIF.exe 133 PID 860 wrote to memory of 3444 860 UEUWIF.exe 133 PID 860 wrote to memory of 3444 860 UEUWIF.exe 133 PID 3444 wrote to memory of 5076 3444 cmd.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe"C:\Users\Admin\AppData\Local\Temp\0dcbe49b721ff9b35469e54feb1aaa7c0ff6749e1294d91adeb24af38291b61bN.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQE.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\windows\SysWOW64\KQE.exeC:\windows\system32\KQE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOKHWZY.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\windows\system\MOKHWZY.exeC:\windows\system\MOKHWZY.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ORTOGNA.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\windows\ORTOGNA.exeC:\windows\ORTOGNA.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PUXS.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\windows\PUXS.exeC:\windows\PUXS.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PZXGV.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\windows\PZXGV.exeC:\windows\PZXGV.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PDBC.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\windows\system\PDBC.exeC:\windows\system\PDBC.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZIMU.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\windows\system\ZIMU.exeC:\windows\system\ZIMU.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAPNZS.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\windows\SysWOW64\KAPNZS.exeC:\windows\system32\KAPNZS.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EWLWJRY.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\windows\SysWOW64\EWLWJRY.exeC:\windows\system32\EWLWJRY.exe19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UEUWIF.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\windows\SysWOW64\UEUWIF.exeC:\windows\system32\UEUWIF.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OZZ.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\windows\OZZ.exeC:\windows\OZZ.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WKA.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\windows\system\WKA.exeC:\windows\system\WKA.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RXFQQ.exe.bat" "26⤵PID:2972
-
C:\windows\RXFQQ.exeC:\windows\RXFQQ.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAI.exe.bat" "28⤵PID:2932
-
C:\windows\SysWOW64\JAI.exeC:\windows\system32\JAI.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VSL.exe.bat" "30⤵PID:2356
-
C:\windows\VSL.exeC:\windows\VSL.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RYRC.exe.bat" "32⤵PID:3460
-
C:\windows\RYRC.exeC:\windows\RYRC.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBN.exe.bat" "34⤵PID:4516
-
C:\windows\SysWOW64\FBN.exeC:\windows\system32\FBN.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KBVOZJ.exe.bat" "36⤵PID:1604
-
C:\windows\system\KBVOZJ.exeC:\windows\system\KBVOZJ.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FWA.exe.bat" "38⤵PID:3480
-
C:\windows\FWA.exeC:\windows\FWA.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CUGU.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\windows\SysWOW64\CUGU.exeC:\windows\system32\CUGU.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "42⤵PID:1700
-
C:\windows\CIYJS.exeC:\windows\CIYJS.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WVDSCGC.exe.bat" "44⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\windows\SysWOW64\WVDSCGC.exeC:\windows\system32\WVDSCGC.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LQMEV.exe.bat" "46⤵PID:4580
-
C:\windows\LQMEV.exeC:\windows\LQMEV.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LWMLX.exe.bat" "48⤵
- System Location Discovery: System Language Discovery
PID:3688 -
C:\windows\system\LWMLX.exeC:\windows\system\LWMLX.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GRRCZFC.exe.bat" "50⤵PID:4988
-
C:\windows\GRRCZFC.exeC:\windows\GRRCZFC.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VMAHS.exe.bat" "52⤵PID:2504
-
C:\windows\VMAHS.exeC:\windows\VMAHS.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DRBVTF.exe.bat" "54⤵PID:3444
-
C:\windows\system\DRBVTF.exeC:\windows\system\DRBVTF.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FUCCET.exe.bat" "56⤵PID:1048
-
C:\windows\FUCCET.exeC:\windows\FUCCET.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VKJNQ.exe.bat" "58⤵PID:1668
-
C:\windows\SysWOW64\VKJNQ.exeC:\windows\system32\VKJNQ.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FSLSTKQ.exe.bat" "60⤵PID:3092
-
C:\windows\SysWOW64\FSLSTKQ.exeC:\windows\system32\FSLSTKQ.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LTTG.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:3256 -
C:\windows\LTTG.exeC:\windows\LTTG.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OBNOOLN.exe.bat" "64⤵PID:1540
-
C:\windows\OBNOOLN.exeC:\windows\OBNOOLN.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YJPTRJ.exe.bat" "66⤵PID:828
-
C:\windows\system\YJPTRJ.exeC:\windows\system\YJPTRJ.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CRV.exe.bat" "68⤵PID:3508
-
C:\windows\system\CRV.exeC:\windows\system\CRV.exe69⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KKE.exe.bat" "70⤵PID:3492
-
C:\windows\SysWOW64\KKE.exeC:\windows\system32\KKE.exe71⤵
- Checks computer location settings
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XMAB.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\windows\system\XMAB.exeC:\windows\system\XMAB.exe73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAFKYW.exe.bat" "74⤵PID:3952
-
C:\windows\SysWOW64\RAFKYW.exeC:\windows\system32\RAFKYW.exe75⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MVK.exe.bat" "76⤵PID:1292
-
C:\windows\SysWOW64\MVK.exeC:\windows\system32\MVK.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MBKI.exe.bat" "78⤵PID:4564
-
C:\windows\system\MBKI.exeC:\windows\system\MBKI.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DOUA.exe.bat" "80⤵
- System Location Discovery: System Language Discovery
PID:4744 -
C:\windows\system\DOUA.exeC:\windows\system\DOUA.exe81⤵
- Checks computer location settings
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YBZJKF.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\windows\YBZJKF.exeC:\windows\YBZJKF.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KPSB.exe.bat" "84⤵PID:4212
-
C:\windows\SysWOW64\KPSB.exeC:\windows\system32\KPSB.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HUPYSD.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\windows\SysWOW64\HUPYSD.exeC:\windows\system32\HUPYSD.exe87⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QURDWBV.exe.bat" "88⤵PID:2484
-
C:\windows\system\QURDWBV.exeC:\windows\system\QURDWBV.exe89⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HICVM.exe.bat" "90⤵PID:2356
-
C:\windows\system\HICVM.exeC:\windows\system\HICVM.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TAFOUF.exe.bat" "92⤵PID:1660
-
C:\windows\system\TAFOUF.exeC:\windows\system\TAFOUF.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PGLDBP.exe.bat" "94⤵PID:4600
-
C:\windows\system\PGLDBP.exeC:\windows\system\PGLDBP.exe95⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AYGWJWQ.exe.bat" "96⤵PID:3392
-
C:\windows\SysWOW64\AYGWJWQ.exeC:\windows\system32\AYGWJWQ.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AJOXXIX.exe.bat" "98⤵PID:4676
-
C:\windows\AJOXXIX.exeC:\windows\AJOXXIX.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCR.exe.bat" "100⤵PID:3924
-
C:\windows\SysWOW64\LCR.exeC:\windows\system32\LCR.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LHJE.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\windows\SysWOW64\LHJE.exeC:\windows\system32\LHJE.exe103⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BCBJSPP.exe.bat" "104⤵PID:4680
-
C:\windows\BCBJSPP.exeC:\windows\BCBJSPP.exe105⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DAU.exe.bat" "106⤵PID:3532
-
C:\windows\system\DAU.exeC:\windows\system\DAU.exe107⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KTD.exe.bat" "108⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\windows\SysWOW64\KTD.exeC:\windows\system32\KTD.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGIOO.exe.bat" "110⤵PID:4856
-
C:\windows\SysWOW64\FGIOO.exeC:\windows\system32\FGIOO.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QYDGXX.exe.bat" "112⤵PID:1460
-
C:\windows\system\QYDGXX.exeC:\windows\system\QYDGXX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBHNC.exe.bat" "114⤵PID:3884
-
C:\windows\SysWOW64\DBHNC.exeC:\windows\system32\DBHNC.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PUCYCW.exe.bat" "116⤵PID:3388
-
C:\windows\SysWOW64\PUCYCW.exeC:\windows\system32\PUCYCW.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JPG.exe.bat" "118⤵PID:2920
-
C:\windows\SysWOW64\JPG.exeC:\windows\system32\JPG.exe119⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SURHCS.exe.bat" "120⤵PID:1288
-
C:\windows\system\SURHCS.exeC:\windows\system\SURHCS.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-