Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
-
Size
208KB
-
MD5
710bf0506b826b66239ea8a924d995a0
-
SHA1
565cfb4743a8a466079c6364ddfc531c890bd389
-
SHA256
5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78
-
SHA512
7ad06ce5c2d247d527c9e6bb1276f52c43488937d046430fb0a30529ff4ca0520b315fc2d815e8dab4c4ea1fa1f8a00fc5eade570405b5dba58186c48d1f23fe
-
SSDEEP
3072:DsfYAYB4nLqk42HkQPKInH1NZGwMZvxPFWTBlg+FpTBi4NLthEjQT6W:Sw6LqmPRnVDGwMDPFWTM+FpViQEjE
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ECLOCB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OQWN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation LTBFHBP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation AJWXU.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ONCFFTD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CMTAJX.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OJKFIVS.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XTD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XLOHLA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation GPBXPC.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZYYS.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NGAY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation DFAZJEJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KIY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ONVIA.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation HLGNN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QRTH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CJM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CJX.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ASPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CHYZAM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TOWIRS.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation AQN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation FGDPHE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KZGCQMN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RLKCZI.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZHFJOF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation VKB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation VFYNZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XDRPF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation NTNG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ZKLVYEF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation INXBLTG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation UKYPV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation GRGZIVH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WRDJV.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KXXD.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation QJSEDCE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WWQBTP.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MNCJY.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation EEHG.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WDNTN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TWIR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OSRKE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BRH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KDOOYM.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XRHYQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation YAYTDH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation FVNL.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XZEFHQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JOJZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CEZSR.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SKQQO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation SVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RSH.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation WOQ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OGOIIZ.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation XVE.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CDYKNKX.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KGB.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation JLGYFN.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation KQRO.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation OHSDOPF.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation TGDV.exe -
Executes dropped EXE 64 IoCs
pid Process 3576 OHSDOPF.exe 3544 SKQQO.exe 1384 OQWN.exe 2000 FGDPHE.exe 1336 BLBNOO.exe 2032 LMDSRLU.exe 4028 CZNKH.exe 4512 CENYJ.exe 1012 ZKLVYEF.exe 3156 KDOOYM.exe 2408 ZYYS.exe 3880 BVZVP.exe 4156 XBXKEF.exe 4716 VBEXNZO.exe 3372 WWQBTP.exe 4988 RKNLDPF.exe 3444 ASPQ.exe 1196 PNGCRHP.exe 1496 OYXSZCL.exe 3384 OQFTFOZ.exe 2248 XRHYQ.exe 2328 TWFVX.exe 3424 OJKFIVS.exe 4124 YHYZPD.exe 3536 YAYTDH.exe 1072 GFYHEUK.exe 1340 LIU.exe 3132 KGB.exe 2000 TGDV.exe 3496 VJFK.exe 2492 KZGCQMN.exe 3216 XKKIVEI.exe 1624 XVSC.exe 4884 UAQ.exe 5064 ONVIA.exe 2156 LTBFHBP.exe 5000 ZZHCODJ.exe 3196 CML.exe 4636 NHD.exe 4756 EUNH.exe 1792 GSHKR.exe 4124 RLKCZI.exe 5072 NQPRGS.exe 1072 CONPNBW.exe 1152 YTTM.exe 3628 EUBZ.exe 3644 ZHFJOF.exe 404 UCK.exe 3932 FVNL.exe 1908 HLGNN.exe 3156 WOQ.exe 452 WTQ.exe 4136 NGAY.exe 1044 AJWXU.exe 1956 CHYZAM.exe 2404 VKB.exe 4756 INXBLTG.exe 1816 XTD.exe 1964 OGOIIZ.exe 4384 FREG.exe 3384 ZEJPRU.exe 4204 QRTH.exe 4420 QXUWJ.exe 1344 LKYFTD.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\POYH.exe GAO.exe File created C:\windows\SysWOW64\JPGBE.exe.bat VEYCQHZ.exe File created C:\windows\SysWOW64\XBXKEF.exe BVZVP.exe File opened for modification C:\windows\SysWOW64\YHYZPD.exe OJKFIVS.exe File created C:\windows\SysWOW64\KGB.exe LIU.exe File created C:\windows\SysWOW64\LKYFTD.exe QXUWJ.exe File created C:\windows\SysWOW64\TWMSCW.exe.bat XQGVVNR.exe File created C:\windows\SysWOW64\KPTXWVF.exe.bat ZRHRJPE.exe File created C:\windows\SysWOW64\GPBXPC.exe.bat JRVA.exe File created C:\windows\SysWOW64\WRDJV.exe.bat FGMMW.exe File opened for modification C:\windows\SysWOW64\CENYJ.exe CZNKH.exe File created C:\windows\SysWOW64\BVZVP.exe.bat ZYYS.exe File created C:\windows\SysWOW64\TWFVX.exe.bat XRHYQ.exe File created C:\windows\SysWOW64\OJKFIVS.exe TWFVX.exe File created C:\windows\SysWOW64\XKKIVEI.exe KZGCQMN.exe File created C:\windows\SysWOW64\YTFJ.exe DFAZJEJ.exe File created C:\windows\SysWOW64\BRH.exe.bat KEWEZSX.exe File created C:\windows\SysWOW64\XZL.exe EEHG.exe File created C:\windows\SysWOW64\PRTYF.exe.bat HMTK.exe File created C:\windows\SysWOW64\ZYYS.exe KDOOYM.exe File created C:\windows\SysWOW64\RKNLDPF.exe.bat WWQBTP.exe File opened for modification C:\windows\SysWOW64\OJKFIVS.exe TWFVX.exe File created C:\windows\SysWOW64\INXBLTG.exe.bat VKB.exe File created C:\windows\SysWOW64\OGOIIZ.exe XTD.exe File opened for modification C:\windows\SysWOW64\PRTYF.exe HMTK.exe File created C:\windows\SysWOW64\CJM.exe.bat RRJHOHD.exe File created C:\windows\SysWOW64\GFYHEUK.exe YAYTDH.exe File opened for modification C:\windows\SysWOW64\VJFK.exe TGDV.exe File created C:\windows\SysWOW64\KZGCQMN.exe VJFK.exe File opened for modification C:\windows\SysWOW64\KPTXWVF.exe ZRHRJPE.exe File opened for modification C:\windows\SysWOW64\RTLAB.exe EQHBW.exe File created C:\windows\SysWOW64\PRTYF.exe HMTK.exe File opened for modification C:\windows\SysWOW64\YTFJ.exe DFAZJEJ.exe File created C:\windows\SysWOW64\VEYCQHZ.exe.bat TOWIRS.exe File opened for modification C:\windows\SysWOW64\ZYYS.exe KDOOYM.exe File created C:\windows\SysWOW64\OYXSZCL.exe.bat PNGCRHP.exe File created C:\windows\SysWOW64\VJFK.exe TGDV.exe File opened for modification C:\windows\SysWOW64\KZGCQMN.exe VJFK.exe File created C:\windows\SysWOW64\NGAY.exe.bat WTQ.exe File created C:\windows\SysWOW64\AJWXU.exe.bat NGAY.exe File opened for modification C:\windows\SysWOW64\KXXD.exe XMBEH.exe File opened for modification C:\windows\SysWOW64\CEZSR.exe JBV.exe File created C:\windows\SysWOW64\OHSDOPF.exe.bat 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe File created C:\windows\SysWOW64\NGAY.exe WTQ.exe File opened for modification C:\windows\SysWOW64\HKFSRRF.exe JUGPFXY.exe File created C:\windows\SysWOW64\WIPYII.exe.bat ULOWCLK.exe File created C:\windows\SysWOW64\LKYFTD.exe.bat QXUWJ.exe File opened for modification C:\windows\SysWOW64\WRDJV.exe FGMMW.exe File opened for modification C:\windows\SysWOW64\FGDPHE.exe OQWN.exe File created C:\windows\SysWOW64\XBXKEF.exe.bat BVZVP.exe File created C:\windows\SysWOW64\LTBFHBP.exe ONVIA.exe File created C:\windows\SysWOW64\NHD.exe CML.exe File created C:\windows\SysWOW64\UCK.exe.bat ZHFJOF.exe File opened for modification C:\windows\SysWOW64\INXBLTG.exe VKB.exe File created C:\windows\SysWOW64\CDYKNKX.exe HQTBLK.exe File created C:\windows\SysWOW64\KXXD.exe.bat XMBEH.exe File created C:\windows\SysWOW64\WIPYII.exe ULOWCLK.exe File opened for modification C:\windows\SysWOW64\NHD.exe CML.exe File created C:\windows\SysWOW64\BLBNOO.exe FGDPHE.exe File opened for modification C:\windows\SysWOW64\GFYHEUK.exe YAYTDH.exe File opened for modification C:\windows\SysWOW64\CML.exe ZZHCODJ.exe File created C:\windows\SysWOW64\NJXYQ.exe RDRBJ.exe File opened for modification C:\windows\SysWOW64\NTNG.exe JLGYFN.exe File opened for modification C:\windows\SysWOW64\WIPYII.exe ULOWCLK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\OXDZFQY.exe UKYPV.exe File opened for modification C:\windows\system\QVW.exe OXDZFQY.exe File created C:\windows\VSG.exe MMWYEWH.exe File opened for modification C:\windows\PLBE.exe TFEHAZG.exe File opened for modification C:\windows\ZKLVYEF.exe CENYJ.exe File created C:\windows\KDOOYM.exe.bat ZKLVYEF.exe File opened for modification C:\windows\system\FVNL.exe UCK.exe File created C:\windows\XTD.exe INXBLTG.exe File created C:\windows\KQRO.exe GAKNQS.exe File created C:\windows\system\AQN.exe RSH.exe File opened for modification C:\windows\NQPRGS.exe RLKCZI.exe File opened for modification C:\windows\system\QRTH.exe ZEJPRU.exe File opened for modification C:\windows\system\XQGVVNR.exe XLOHLA.exe File created C:\windows\system\QVW.exe OXDZFQY.exe File created C:\windows\PLBE.exe TFEHAZG.exe File created C:\windows\system\JUGPFXY.exe.bat JPGBE.exe File created C:\windows\CJX.exe WIPYII.exe File created C:\windows\YTTM.exe.bat CONPNBW.exe File created C:\windows\system\GRGZIVH.exe.bat ETNWKY.exe File created C:\windows\system\FGMMW.exe.bat XVE.exe File created C:\windows\JPIDEF.exe LZJBTMN.exe File opened for modification C:\windows\KCN.exe CJM.exe File created C:\windows\CPITFLK.exe.bat CEZSR.exe File opened for modification C:\windows\system\OQWN.exe SKQQO.exe File opened for modification C:\windows\XTD.exe INXBLTG.exe File created C:\windows\ONCFFTD.exe.bat XARNPW.exe File created C:\windows\system\CQZO.exe.bat HDVESID.exe File opened for modification C:\windows\system\CMTAJX.exe JRCXMT.exe File created C:\windows\PWSORGS.exe.bat AQN.exe File opened for modification C:\windows\ZSHPXJE.exe KXXD.exe File created C:\windows\system\JOJZ.exe WDNTN.exe File opened for modification C:\windows\system\CZNKH.exe LMDSRLU.exe File created C:\windows\KDOOYM.exe ZKLVYEF.exe File created C:\windows\system\OQFTFOZ.exe.bat OYXSZCL.exe File created C:\windows\system\CHYZAM.exe.bat AJWXU.exe File created C:\windows\system\VFYNZ.exe.bat ICUPUV.exe File created C:\windows\WAYSTXE.exe CMTAJX.exe File opened for modification C:\windows\system\PNGCRHP.exe ASPQ.exe File created C:\windows\system\UOMWPF.exe GRGZIVH.exe File opened for modification C:\windows\ONCFFTD.exe XARNPW.exe File created C:\windows\USZ.exe.bat OSRKE.exe File opened for modification C:\windows\system\CQZO.exe HDVESID.exe File created C:\windows\GAO.exe TPKJIDF.exe File opened for modification C:\windows\HNNEZY.exe GKJA.exe File opened for modification C:\windows\DSLP.exe CPITFLK.exe File created C:\windows\system\ZHFJOF.exe EUBZ.exe File opened for modification C:\windows\system\FGMMW.exe XVE.exe File created C:\windows\system\VJLLJ.exe.bat WRDJV.exe File created C:\windows\KIY.exe.bat CDYKNKX.exe File created C:\windows\system\AQN.exe.bat RSH.exe File opened for modification C:\windows\system\WDNTN.exe ECLOCB.exe File opened for modification C:\windows\JBV.exe QJSEDCE.exe File created C:\windows\system\NRBMP.exe.bat PRTYF.exe File opened for modification C:\windows\system\QXUWJ.exe QRTH.exe File opened for modification C:\windows\system\GYGOOA.exe CQZO.exe File opened for modification C:\windows\system\IODBTVP.exe UIXEMLN.exe File created C:\windows\system\CMTAJX.exe.bat JRCXMT.exe File created C:\windows\ZEJPRU.exe FREG.exe File created C:\windows\system\KEWEZSX.exe IODBTVP.exe File created C:\windows\system\GDEG.exe YKEFXQ.exe File created C:\windows\system\XARNPW.exe.bat GPBXPC.exe File created C:\windows\ONCFFTD.exe XARNPW.exe File opened for modification C:\windows\system\VBEXNZO.exe XBXKEF.exe File created C:\windows\system\WWQBTP.exe VBEXNZO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 5080 1076 WerFault.exe 81 220 3576 WerFault.exe 86 4912 3544 WerFault.exe 92 1508 1384 WerFault.exe 97 4280 2000 WerFault.exe 102 2260 1336 WerFault.exe 107 536 2032 WerFault.exe 112 3412 4028 WerFault.exe 119 3852 4512 WerFault.exe 124 5024 1012 WerFault.exe 131 808 3156 WerFault.exe 136 1560 2408 WerFault.exe 141 4136 3880 WerFault.exe 146 2396 4156 WerFault.exe 152 2172 4716 WerFault.exe 157 2356 3372 WerFault.exe 161 4664 4988 WerFault.exe 167 2604 3444 WerFault.exe 174 2620 1196 WerFault.exe 179 4536 1496 WerFault.exe 183 1388 3384 WerFault.exe 189 1344 2248 WerFault.exe 194 1784 2328 WerFault.exe 199 3492 3424 WerFault.exe 204 556 4124 WerFault.exe 209 1908 3536 WerFault.exe 214 408 1072 WerFault.exe 219 1820 1340 WerFault.exe 224 916 3132 WerFault.exe 229 2396 2000 WerFault.exe 234 2172 3496 WerFault.exe 239 1564 2492 WerFault.exe 244 1460 3216 WerFault.exe 249 3444 1624 WerFault.exe 254 560 4884 WerFault.exe 258 4256 5064 WerFault.exe 264 3516 2156 WerFault.exe 269 4332 5000 WerFault.exe 274 1596 3196 WerFault.exe 279 2708 4636 WerFault.exe 284 1268 4756 WerFault.exe 289 5020 1792 WerFault.exe 294 2856 4124 WerFault.exe 300 4256 5072 WerFault.exe 305 3516 1072 WerFault.exe 310 4332 1152 WerFault.exe 315 1596 3628 WerFault.exe 320 1344 3644 WerFault.exe 325 4512 404 WerFault.exe 330 1624 3932 WerFault.exe 335 4884 1908 WerFault.exe 340 1064 3156 WerFault.exe 345 840 452 WerFault.exe 350 4332 4136 WerFault.exe 356 1088 1044 WerFault.exe 361 244 1956 WerFault.exe 366 4416 2404 WerFault.exe 371 5024 4756 WerFault.exe 376 1400 1816 WerFault.exe 380 3148 1964 WerFault.exe 386 320 4384 WerFault.exe 391 644 3384 WerFault.exe 396 1028 4204 WerFault.exe 401 2708 4420 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ONVIA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GRGZIVH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CJX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XQGVVNR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QVW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ONCFFTD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YKEFXQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LKYFTD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XMBEH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HMTK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TWMSCW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OXDZFQY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EZWJUJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GAKNQS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WOQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language USZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DFAZJEJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HQTBLK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ECLOCB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OKOIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SKQQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KDOOYM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OQFTFOZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XVE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WTQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FREG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BRH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YAYTDH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YTTM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QJSEDCE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GPBXPC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KXXD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJXYQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XZL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CML.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZSHPXJE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QRTH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JUGPFXY.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 3576 OHSDOPF.exe 3576 OHSDOPF.exe 3544 SKQQO.exe 3544 SKQQO.exe 1384 OQWN.exe 1384 OQWN.exe 2000 FGDPHE.exe 2000 FGDPHE.exe 1336 BLBNOO.exe 1336 BLBNOO.exe 2032 LMDSRLU.exe 2032 LMDSRLU.exe 4028 CZNKH.exe 4028 CZNKH.exe 4512 CENYJ.exe 4512 CENYJ.exe 1012 ZKLVYEF.exe 1012 ZKLVYEF.exe 3156 KDOOYM.exe 3156 KDOOYM.exe 2408 ZYYS.exe 2408 ZYYS.exe 3880 BVZVP.exe 3880 BVZVP.exe 4156 XBXKEF.exe 4156 XBXKEF.exe 4716 VBEXNZO.exe 4716 VBEXNZO.exe 3372 WWQBTP.exe 3372 WWQBTP.exe 4988 RKNLDPF.exe 4988 RKNLDPF.exe 3444 ASPQ.exe 3444 ASPQ.exe 1196 PNGCRHP.exe 1196 PNGCRHP.exe 1496 OYXSZCL.exe 1496 OYXSZCL.exe 3384 OQFTFOZ.exe 3384 OQFTFOZ.exe 2248 XRHYQ.exe 2248 XRHYQ.exe 2328 TWFVX.exe 2328 TWFVX.exe 3424 OJKFIVS.exe 3424 OJKFIVS.exe 4124 YHYZPD.exe 4124 YHYZPD.exe 3536 YAYTDH.exe 3536 YAYTDH.exe 1072 GFYHEUK.exe 1072 GFYHEUK.exe 1340 LIU.exe 1340 LIU.exe 3132 KGB.exe 3132 KGB.exe 2000 TGDV.exe 2000 TGDV.exe 3496 VJFK.exe 3496 VJFK.exe 2492 KZGCQMN.exe 2492 KZGCQMN.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 3576 OHSDOPF.exe 3576 OHSDOPF.exe 3544 SKQQO.exe 3544 SKQQO.exe 1384 OQWN.exe 1384 OQWN.exe 2000 FGDPHE.exe 2000 FGDPHE.exe 1336 BLBNOO.exe 1336 BLBNOO.exe 2032 LMDSRLU.exe 2032 LMDSRLU.exe 4028 CZNKH.exe 4028 CZNKH.exe 4512 CENYJ.exe 4512 CENYJ.exe 1012 ZKLVYEF.exe 1012 ZKLVYEF.exe 3156 KDOOYM.exe 3156 KDOOYM.exe 2408 ZYYS.exe 2408 ZYYS.exe 3880 BVZVP.exe 3880 BVZVP.exe 4156 XBXKEF.exe 4156 XBXKEF.exe 4716 VBEXNZO.exe 4716 VBEXNZO.exe 3372 WWQBTP.exe 3372 WWQBTP.exe 4988 RKNLDPF.exe 4988 RKNLDPF.exe 3444 ASPQ.exe 3444 ASPQ.exe 1196 PNGCRHP.exe 1196 PNGCRHP.exe 1496 OYXSZCL.exe 1496 OYXSZCL.exe 3384 OQFTFOZ.exe 3384 OQFTFOZ.exe 2248 XRHYQ.exe 2248 XRHYQ.exe 2328 TWFVX.exe 2328 TWFVX.exe 3424 OJKFIVS.exe 3424 OJKFIVS.exe 4124 YHYZPD.exe 4124 YHYZPD.exe 3536 YAYTDH.exe 3536 YAYTDH.exe 1072 GFYHEUK.exe 1072 GFYHEUK.exe 1340 LIU.exe 1340 LIU.exe 3132 KGB.exe 3132 KGB.exe 2000 TGDV.exe 2000 TGDV.exe 3496 VJFK.exe 3496 VJFK.exe 2492 KZGCQMN.exe 2492 KZGCQMN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1076 wrote to memory of 3984 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 82 PID 1076 wrote to memory of 3984 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 82 PID 1076 wrote to memory of 3984 1076 5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe 82 PID 3984 wrote to memory of 3576 3984 cmd.exe 86 PID 3984 wrote to memory of 3576 3984 cmd.exe 86 PID 3984 wrote to memory of 3576 3984 cmd.exe 86 PID 3576 wrote to memory of 3656 3576 OHSDOPF.exe 88 PID 3576 wrote to memory of 3656 3576 OHSDOPF.exe 88 PID 3576 wrote to memory of 3656 3576 OHSDOPF.exe 88 PID 3656 wrote to memory of 3544 3656 cmd.exe 92 PID 3656 wrote to memory of 3544 3656 cmd.exe 92 PID 3656 wrote to memory of 3544 3656 cmd.exe 92 PID 3544 wrote to memory of 1400 3544 SKQQO.exe 93 PID 3544 wrote to memory of 1400 3544 SKQQO.exe 93 PID 3544 wrote to memory of 1400 3544 SKQQO.exe 93 PID 1400 wrote to memory of 1384 1400 cmd.exe 97 PID 1400 wrote to memory of 1384 1400 cmd.exe 97 PID 1400 wrote to memory of 1384 1400 cmd.exe 97 PID 1384 wrote to memory of 5060 1384 OQWN.exe 98 PID 1384 wrote to memory of 5060 1384 OQWN.exe 98 PID 1384 wrote to memory of 5060 1384 OQWN.exe 98 PID 5060 wrote to memory of 2000 5060 cmd.exe 102 PID 5060 wrote to memory of 2000 5060 cmd.exe 102 PID 5060 wrote to memory of 2000 5060 cmd.exe 102 PID 2000 wrote to memory of 2156 2000 FGDPHE.exe 103 PID 2000 wrote to memory of 2156 2000 FGDPHE.exe 103 PID 2000 wrote to memory of 2156 2000 FGDPHE.exe 103 PID 2156 wrote to memory of 1336 2156 cmd.exe 107 PID 2156 wrote to memory of 1336 2156 cmd.exe 107 PID 2156 wrote to memory of 1336 2156 cmd.exe 107 PID 1336 wrote to memory of 64 1336 BLBNOO.exe 108 PID 1336 wrote to memory of 64 1336 BLBNOO.exe 108 PID 1336 wrote to memory of 64 1336 BLBNOO.exe 108 PID 64 wrote to memory of 2032 64 cmd.exe 112 PID 64 wrote to memory of 2032 64 cmd.exe 112 PID 64 wrote to memory of 2032 64 cmd.exe 112 PID 2032 wrote to memory of 1088 2032 LMDSRLU.exe 115 PID 2032 wrote to memory of 1088 2032 LMDSRLU.exe 115 PID 2032 wrote to memory of 1088 2032 LMDSRLU.exe 115 PID 1088 wrote to memory of 4028 1088 cmd.exe 119 PID 1088 wrote to memory of 4028 1088 cmd.exe 119 PID 1088 wrote to memory of 4028 1088 cmd.exe 119 PID 4028 wrote to memory of 4412 4028 CZNKH.exe 120 PID 4028 wrote to memory of 4412 4028 CZNKH.exe 120 PID 4028 wrote to memory of 4412 4028 CZNKH.exe 120 PID 4412 wrote to memory of 4512 4412 cmd.exe 124 PID 4412 wrote to memory of 4512 4412 cmd.exe 124 PID 4412 wrote to memory of 4512 4412 cmd.exe 124 PID 4512 wrote to memory of 3648 4512 CENYJ.exe 127 PID 4512 wrote to memory of 3648 4512 CENYJ.exe 127 PID 4512 wrote to memory of 3648 4512 CENYJ.exe 127 PID 3648 wrote to memory of 1012 3648 cmd.exe 131 PID 3648 wrote to memory of 1012 3648 cmd.exe 131 PID 3648 wrote to memory of 1012 3648 cmd.exe 131 PID 1012 wrote to memory of 3556 1012 ZKLVYEF.exe 132 PID 1012 wrote to memory of 3556 1012 ZKLVYEF.exe 132 PID 1012 wrote to memory of 3556 1012 ZKLVYEF.exe 132 PID 3556 wrote to memory of 3156 3556 cmd.exe 136 PID 3556 wrote to memory of 3156 3556 cmd.exe 136 PID 3556 wrote to memory of 3156 3556 cmd.exe 136 PID 3156 wrote to memory of 2296 3156 KDOOYM.exe 137 PID 3156 wrote to memory of 2296 3156 KDOOYM.exe 137 PID 3156 wrote to memory of 2296 3156 KDOOYM.exe 137 PID 2296 wrote to memory of 2408 2296 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHSDOPF.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\windows\SysWOW64\OHSDOPF.exeC:\windows\system32\OHSDOPF.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SKQQO.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\windows\system\SKQQO.exeC:\windows\system\SKQQO.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQWN.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\windows\system\OQWN.exeC:\windows\system\OQWN.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FGDPHE.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\windows\SysWOW64\FGDPHE.exeC:\windows\system32\FGDPHE.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BLBNOO.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\windows\SysWOW64\BLBNOO.exeC:\windows\system32\BLBNOO.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LMDSRLU.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\windows\LMDSRLU.exeC:\windows\LMDSRLU.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CZNKH.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\windows\system\CZNKH.exeC:\windows\system\CZNKH.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CENYJ.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\windows\SysWOW64\CENYJ.exeC:\windows\system32\CENYJ.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKLVYEF.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\windows\ZKLVYEF.exeC:\windows\ZKLVYEF.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KDOOYM.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\windows\KDOOYM.exeC:\windows\KDOOYM.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZYYS.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\windows\SysWOW64\ZYYS.exeC:\windows\system32\ZYYS.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BVZVP.exe.bat" "24⤵PID:4180
-
C:\windows\SysWOW64\BVZVP.exeC:\windows\system32\BVZVP.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XBXKEF.exe.bat" "26⤵PID:2736
-
C:\windows\SysWOW64\XBXKEF.exeC:\windows\system32\XBXKEF.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VBEXNZO.exe.bat" "28⤵PID:2232
-
C:\windows\system\VBEXNZO.exeC:\windows\system\VBEXNZO.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WWQBTP.exe.bat" "30⤵PID:3672
-
C:\windows\system\WWQBTP.exeC:\windows\system\WWQBTP.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKNLDPF.exe.bat" "32⤵PID:3540
-
C:\windows\SysWOW64\RKNLDPF.exeC:\windows\system32\RKNLDPF.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASPQ.exe.bat" "34⤵PID:3636
-
C:\windows\SysWOW64\ASPQ.exeC:\windows\system32\ASPQ.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PNGCRHP.exe.bat" "36⤵PID:2372
-
C:\windows\system\PNGCRHP.exeC:\windows\system\PNGCRHP.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYXSZCL.exe.bat" "38⤵PID:1928
-
C:\windows\SysWOW64\OYXSZCL.exeC:\windows\system32\OYXSZCL.exe39⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OQFTFOZ.exe.bat" "40⤵PID:5068
-
C:\windows\system\OQFTFOZ.exeC:\windows\system\OQFTFOZ.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRHYQ.exe.bat" "42⤵PID:3516
-
C:\windows\SysWOW64\XRHYQ.exeC:\windows\system32\XRHYQ.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWFVX.exe.bat" "44⤵PID:1332
-
C:\windows\SysWOW64\TWFVX.exeC:\windows\system32\TWFVX.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJKFIVS.exe.bat" "46⤵PID:1596
-
C:\windows\SysWOW64\OJKFIVS.exeC:\windows\system32\OJKFIVS.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YHYZPD.exe.bat" "48⤵PID:4996
-
C:\windows\SysWOW64\YHYZPD.exeC:\windows\system32\YHYZPD.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YAYTDH.exe.bat" "50⤵
- System Location Discovery: System Language Discovery
PID:3852 -
C:\windows\SysWOW64\YAYTDH.exeC:\windows\system32\YAYTDH.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFYHEUK.exe.bat" "52⤵PID:3512
-
C:\windows\SysWOW64\GFYHEUK.exeC:\windows\system32\GFYHEUK.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LIU.exe.bat" "54⤵PID:2152
-
C:\windows\LIU.exeC:\windows\LIU.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KGB.exe.bat" "56⤵PID:1504
-
C:\windows\SysWOW64\KGB.exeC:\windows\system32\KGB.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TGDV.exe.bat" "58⤵PID:4072
-
C:\windows\system\TGDV.exeC:\windows\system\TGDV.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJFK.exe.bat" "60⤵PID:1352
-
C:\windows\SysWOW64\VJFK.exeC:\windows\system32\VJFK.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZGCQMN.exe.bat" "62⤵PID:4496
-
C:\windows\SysWOW64\KZGCQMN.exeC:\windows\system32\KZGCQMN.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XKKIVEI.exe.bat" "64⤵PID:4876
-
C:\windows\SysWOW64\XKKIVEI.exeC:\windows\system32\XKKIVEI.exe65⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XVSC.exe.bat" "66⤵PID:3676
-
C:\windows\system\XVSC.exeC:\windows\system\XVSC.exe67⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UAQ.exe.bat" "68⤵PID:4616
-
C:\windows\UAQ.exeC:\windows\UAQ.exe69⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ONVIA.exe.bat" "70⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\windows\system\ONVIA.exeC:\windows\system\ONVIA.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LTBFHBP.exe.bat" "72⤵PID:4904
-
C:\windows\SysWOW64\LTBFHBP.exeC:\windows\system32\LTBFHBP.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZZHCODJ.exe.bat" "74⤵PID:1632
-
C:\windows\SysWOW64\ZZHCODJ.exeC:\windows\system32\ZZHCODJ.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CML.exe.bat" "76⤵PID:5036
-
C:\windows\SysWOW64\CML.exeC:\windows\system32\CML.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NHD.exe.bat" "78⤵PID:2056
-
C:\windows\SysWOW64\NHD.exeC:\windows\system32\NHD.exe79⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUNH.exe.bat" "80⤵PID:1120
-
C:\windows\SysWOW64\EUNH.exeC:\windows\system32\EUNH.exe81⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GSHKR.exe.bat" "82⤵PID:3424
-
C:\windows\GSHKR.exeC:\windows\GSHKR.exe83⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RLKCZI.exe.bat" "84⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\windows\system\RLKCZI.exeC:\windows\system\RLKCZI.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQPRGS.exe.bat" "86⤵PID:4712
-
C:\windows\NQPRGS.exeC:\windows\NQPRGS.exe87⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CONPNBW.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\windows\CONPNBW.exeC:\windows\CONPNBW.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YTTM.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:3880 -
C:\windows\YTTM.exeC:\windows\YTTM.exe91⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EUBZ.exe.bat" "92⤵PID:4156
-
C:\windows\SysWOW64\EUBZ.exeC:\windows\system32\EUBZ.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHFJOF.exe.bat" "94⤵PID:2740
-
C:\windows\system\ZHFJOF.exeC:\windows\system\ZHFJOF.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCK.exe.bat" "96⤵PID:2912
-
C:\windows\SysWOW64\UCK.exeC:\windows\system32\UCK.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FVNL.exe.bat" "98⤵PID:4436
-
C:\windows\system\FVNL.exeC:\windows\system\FVNL.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HLGNN.exe.bat" "100⤵PID:3416
-
C:\windows\system\HLGNN.exeC:\windows\system\HLGNN.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WOQ.exe.bat" "102⤵PID:4180
-
C:\windows\system\WOQ.exeC:\windows\system\WOQ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WTQ.exe.bat" "104⤵
- System Location Discovery: System Language Discovery
PID:3232 -
C:\windows\system\WTQ.exeC:\windows\system\WTQ.exe105⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NGAY.exe.bat" "106⤵PID:2012
-
C:\windows\SysWOW64\NGAY.exeC:\windows\system32\NGAY.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AJWXU.exe.bat" "108⤵
- System Location Discovery: System Language Discovery
PID:1332 -
C:\windows\SysWOW64\AJWXU.exeC:\windows\system32\AJWXU.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CHYZAM.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:1028 -
C:\windows\system\CHYZAM.exeC:\windows\system\CHYZAM.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VKB.exe.bat" "112⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\windows\system\VKB.exeC:\windows\system\VKB.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\INXBLTG.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\windows\SysWOW64\INXBLTG.exeC:\windows\system32\INXBLTG.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XTD.exe.bat" "116⤵PID:5012
-
C:\windows\XTD.exeC:\windows\XTD.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGOIIZ.exe.bat" "118⤵PID:772
-
C:\windows\SysWOW64\OGOIIZ.exeC:\windows\system32\OGOIIZ.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FREG.exe.bat" "120⤵PID:1208
-
C:\windows\SysWOW64\FREG.exeC:\windows\system32\FREG.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-