Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 19:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe
-
Size
208KB
-
MD5
b396a083206a5791129b1041d7527c50
-
SHA1
a3284018452272b72c4e4465089fa062e42796f4
-
SHA256
448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2
-
SHA512
35074d7f867f6c026bda963847bccc00aa8b2f4090c72daeb5998e218081eaa992953bbd4484dbb1c8d4a422268d556fa23c221fd87390e710b12b830bb894b7
-
SSDEEP
3072:74hqYHVGwOa6Mb4GZGxEVBHOsCMldra69myY2m/oykvI6i5gevmCXRwBGa4NLthn:dYUMMy096p05gevzXRwBGaQEjE
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OASHOYN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GOZJLXF.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YJGKVXU.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation GCICOXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FFBCLL.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PTXLE.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PLGMSA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DDBC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XBFVCFN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IPLXONV.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FTTSY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AWN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ISOXLLV.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LOOPTM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation UEER.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TNMC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WXHSM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FTYQG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KECW.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OZJXIU.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation AHAEBM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HEZRQQM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation BCC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SVJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation KLARBR.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OEGKV.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NCMMUQM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ORISQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IPWSATD.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YVU.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XFSNDDP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ZNLPGSK.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HFTWHIA.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RMI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation VLCFPH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation ZPDAZXX.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XEMB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation UHDS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation RSTMG.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YUJVZM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation IZLTFW.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation LRO.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation TYH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OMP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FOT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YUB.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PRJAEC.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PSJPUY.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation JLSCWXP.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MKKYPQ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation YLIS.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation CGOEI.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation JAADM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OKEKRF.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation HGWN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation DVCAT.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation OYVTUN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation XLVSGN.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation MENM.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation NLXZPSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation SCKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation PHJPCH.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WGTTV.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 YUB.exe 3816 RMI.exe 4592 MANQO.exe 3980 MDRUBOP.exe 668 YVU.exe 4656 DVCAT.exe 1600 YJGKVXU.exe 5092 AHAEBM.exe 4952 AZI.exe 4616 NCMMUQM.exe 4972 RSTMG.exe 4440 XFSNDDP.exe 3248 MICZW.exe 3448 OYVTUN.exe 832 XLFLKJC.exe 3048 SZK.exe 1356 YUJVZM.exe 1492 UAPSGW.exe 3068 GSKLODP.exe 1156 VNBPZ.exe 4496 XLVSGN.exe 1672 VLCFPH.exe 1696 PZH.exe 4356 MENM.exe 4916 QMUMSJM.exe 3008 IPLXONV.exe 4204 AVVPEKJ.exe 1520 AIW.exe 4100 WGTTV.exe 3616 AWABZRC.exe 4912 VJFK.exe 1616 TZMN.exe 1580 TNMC.exe 4480 ZNLPGSK.exe 1492 UAQ.exe 4148 FTTSY.exe 3596 ZGYBJZ.exe 4576 WME.exe 4532 HEZRQQM.exe 4896 TXC.exe 2380 RMNFTCJ.exe 3088 TKO.exe 2152 PSJPUY.exe 3456 GGTH.exe 3464 POVMO.exe 2856 TWCUAKZ.exe 2020 BCC.exe 4904 WXHSM.exe 1400 AFNS.exe 3472 GFVFH.exe 4652 RYYYPZ.exe 3376 ODW.exe 4204 ZWZG.exe 1728 ORISQ.exe 4192 OXIHRQI.exe 4944 ZPDAZXX.exe 3048 FPLN.exe 2248 OYNTU.exe 3836 JLSCWXP.exe 1492 IBLFRCX.exe 4992 KZEZPZ.exe 2616 PZM.exe 1532 XEMB.exe 4636 MKKYPQ.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\GGTH.exe PSJPUY.exe File created C:\windows\SysWOW64\FJIIED.exe.bat AIAU.exe File opened for modification C:\windows\SysWOW64\GBKSU.exe PBIMQLN.exe File opened for modification C:\windows\SysWOW64\NAU.exe GPT.exe File created C:\windows\SysWOW64\EWG.exe.bat OMP.exe File created C:\windows\SysWOW64\PRJAEC.exe.bat UEER.exe File created C:\windows\SysWOW64\MICZW.exe XFSNDDP.exe File opened for modification C:\windows\SysWOW64\IPLXONV.exe QMUMSJM.exe File created C:\windows\SysWOW64\PJU.exe.bat PVU.exe File created C:\windows\SysWOW64\IPLXONV.exe QMUMSJM.exe File created C:\windows\SysWOW64\UHDS.exe.bat XBFVCFN.exe File opened for modification C:\windows\SysWOW64\WPQXSSR.exe HKKAL.exe File created C:\windows\SysWOW64\GCN.exe.bat OZJXIU.exe File created C:\windows\SysWOW64\IXN.exe XFK.exe File created C:\windows\SysWOW64\QMUMSJM.exe.bat MENM.exe File created C:\windows\SysWOW64\NAU.exe GPT.exe File created C:\windows\SysWOW64\KLARBR.exe CFADA.exe File created C:\windows\SysWOW64\ODW.exe RYYYPZ.exe File created C:\windows\SysWOW64\ISOXLLV.exe.bat KSHJ.exe File created C:\windows\SysWOW64\DQN.exe XQGLV.exe File opened for modification C:\windows\SysWOW64\EWG.exe OMP.exe File created C:\windows\SysWOW64\OBDQQH.exe.bat FOT.exe File created C:\windows\SysWOW64\OUICT.exe UHDS.exe File created C:\windows\SysWOW64\GSKLODP.exe UAPSGW.exe File opened for modification C:\windows\SysWOW64\XLVSGN.exe VNBPZ.exe File opened for modification C:\windows\SysWOW64\TYH.exe HQTBLK.exe File created C:\windows\SysWOW64\TYH.exe.bat HQTBLK.exe File opened for modification C:\windows\SysWOW64\GCICOXQ.exe MEPA.exe File opened for modification C:\windows\SysWOW64\KLARBR.exe CFADA.exe File created C:\windows\SysWOW64\SHPB.exe.bat NPINLTZ.exe File created C:\windows\SysWOW64\TYH.exe HQTBLK.exe File created C:\windows\SysWOW64\CJOQQM.exe.bat UROP.exe File opened for modification C:\windows\SysWOW64\OQX.exe SKRMYK.exe File created C:\windows\SysWOW64\MCQQX.exe GCICOXQ.exe File created C:\windows\SysWOW64\PSJPUY.exe.bat TKO.exe File opened for modification C:\windows\SysWOW64\SHPB.exe NPINLTZ.exe File opened for modification C:\windows\SysWOW64\UROP.exe YLIS.exe File created C:\windows\SysWOW64\UEER.exe.bat UYECSQF.exe File created C:\windows\SysWOW64\OASHOYN.exe IZLTFW.exe File created C:\windows\SysWOW64\MDRUBOP.exe MANQO.exe File opened for modification C:\windows\SysWOW64\PSJPUY.exe TKO.exe File created C:\windows\SysWOW64\KRQSGIL.exe GBKSU.exe File created C:\windows\SysWOW64\PRJAEC.exe UEER.exe File opened for modification C:\windows\SysWOW64\ISOXLLV.exe KSHJ.exe File created C:\windows\SysWOW64\SHPB.exe NPINLTZ.exe File created C:\windows\SysWOW64\MENM.exe.bat PZH.exe File created C:\windows\SysWOW64\PSJPUY.exe TKO.exe File created C:\windows\SysWOW64\BCC.exe TWCUAKZ.exe File opened for modification C:\windows\SysWOW64\AFNS.exe WXHSM.exe File created C:\windows\SysWOW64\XLFLKJC.exe OYVTUN.exe File created C:\windows\SysWOW64\VNBPZ.exe.bat GSKLODP.exe File opened for modification C:\windows\SysWOW64\UAPSGW.exe YUJVZM.exe File created C:\windows\SysWOW64\FTTSY.exe UAQ.exe File created C:\windows\SysWOW64\ODW.exe.bat RYYYPZ.exe File opened for modification C:\windows\SysWOW64\RSTMG.exe NCMMUQM.exe File opened for modification C:\windows\SysWOW64\XLFLKJC.exe OYVTUN.exe File opened for modification C:\windows\SysWOW64\MEPA.exe RTZC.exe File opened for modification C:\windows\SysWOW64\CJOQQM.exe UROP.exe File opened for modification C:\windows\SysWOW64\UEER.exe UYECSQF.exe File created C:\windows\SysWOW64\TZMN.exe VJFK.exe File opened for modification C:\windows\SysWOW64\LRO.exe VWXHTK.exe File opened for modification C:\windows\SysWOW64\VJFK.exe AWABZRC.exe File created C:\windows\SysWOW64\FTTSY.exe.bat UAQ.exe File opened for modification C:\windows\SysWOW64\OBDQQH.exe FOT.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\YJGKVXU.exe DVCAT.exe File created C:\windows\AWN.exe.bat FJIIED.exe File created C:\windows\VJJJR.exe.bat AWN.exe File created C:\windows\system\HQTBLK.exe SVJ.exe File created C:\windows\FFBCLL.exe.bat LSXT.exe File opened for modification C:\windows\NLXZPSJ.exe TQAQF.exe File created C:\windows\system\YTGFLGD.exe.bat HGWN.exe File created C:\windows\system\UYECSQF.exe YTGFLGD.exe File created C:\windows\system\RMNFTCJ.exe.bat TXC.exe File created C:\windows\system\POVMO.exe.bat GGTH.exe File created C:\windows\ORISQ.exe ZWZG.exe File created C:\windows\VJJJR.exe AWN.exe File created C:\windows\system\PBIMQLN.exe AYYA.exe File created C:\windows\HKKAL.exe.bat EWG.exe File created C:\windows\system\OKEKRF.exe.bat JAADM.exe File opened for modification C:\windows\system\FPLN.exe ZPDAZXX.exe File opened for modification C:\windows\IQZ.exe SVPQV.exe File created C:\windows\HGWN.exe.bat OKEKRF.exe File created C:\windows\YVU.exe MDRUBOP.exe File opened for modification C:\windows\YUJVZM.exe SZK.exe File created C:\windows\ZPDAZXX.exe OXIHRQI.exe File opened for modification C:\windows\system\NPINLTZ.exe LRO.exe File opened for modification C:\windows\ZQBH.exe IQZ.exe File opened for modification C:\windows\FFBCLL.exe LSXT.exe File opened for modification C:\windows\XPKITTG.exe AKMTM.exe File opened for modification C:\windows\system\RMI.exe YUB.exe File created C:\windows\MANQO.exe RMI.exe File created C:\windows\XFSNDDP.exe RSTMG.exe File opened for modification C:\windows\system\IBLFRCX.exe JLSCWXP.exe File opened for modification C:\windows\AWN.exe FJIIED.exe File opened for modification C:\windows\SCKJ.exe OUICT.exe File created C:\windows\OEGKV.exe.bat EEEWRY.exe File opened for modification C:\windows\AIAU.exe OQX.exe File created C:\windows\system\SVPQV.exe.bat SHPB.exe File created C:\windows\OCRJY.exe.bat CJOQQM.exe File opened for modification C:\windows\MANQO.exe RMI.exe File created C:\windows\XFSNDDP.exe.bat RSTMG.exe File opened for modification C:\windows\system\NMJ.exe VJJJR.exe File created C:\windows\system\CGOEI.exe.bat NLXZPSJ.exe File created C:\windows\system\JAADM.exe.bat DZTPD.exe File opened for modification C:\windows\system\TKO.exe RMNFTCJ.exe File created C:\windows\system\XQGLV.exe.bat DDBC.exe File created C:\windows\GOZJLXF.exe ANZVCVE.exe File created C:\windows\system\POVMO.exe GGTH.exe File opened for modification C:\windows\ZWZG.exe ODW.exe File created C:\windows\system\PZM.exe KZEZPZ.exe File opened for modification C:\windows\system\OKEKRF.exe JAADM.exe File created C:\windows\system\RMI.exe.bat YUB.exe File created C:\windows\IQZ.exe SVPQV.exe File created C:\windows\LOOPTM.exe OJIS.exe File opened for modification C:\windows\CFADA.exe NAU.exe File created C:\windows\GOZJLXF.exe.bat ANZVCVE.exe File opened for modification C:\windows\PHJPCH.exe ABDSVX.exe File opened for modification C:\windows\GOZJLXF.exe ANZVCVE.exe File created C:\windows\NCMMUQM.exe AZI.exe File opened for modification C:\windows\HEZRQQM.exe WME.exe File created C:\windows\XZEFHQ.exe.bat OZC.exe File created C:\windows\YLIS.exe PLGMSA.exe File created C:\windows\system\JKNPYP.exe LOOPTM.exe File created C:\windows\BQYL.exe.bat WPQXSSR.exe File created C:\windows\system\FAUMR.exe.bat OASHOYN.exe File opened for modification C:\windows\system\SZK.exe XLFLKJC.exe File created C:\windows\system\SZK.exe.bat XLFLKJC.exe File created C:\windows\ZWZG.exe ODW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 768 4964 WerFault.exe 81 3144 2272 WerFault.exe 86 3272 3816 WerFault.exe 92 5104 4592 WerFault.exe 97 3688 3980 WerFault.exe 102 4640 668 WerFault.exe 107 752 4656 WerFault.exe 112 2364 1600 WerFault.exe 117 4420 5092 WerFault.exe 124 1432 4952 WerFault.exe 131 3016 4616 WerFault.exe 135 2036 4972 WerFault.exe 141 4800 4440 WerFault.exe 146 4944 3248 WerFault.exe 152 2908 3448 WerFault.exe 157 4776 832 WerFault.exe 162 2380 3048 WerFault.exe 167 3472 1356 WerFault.exe 173 2592 1492 WerFault.exe 179 4948 3068 WerFault.exe 184 1588 1156 WerFault.exe 189 2940 4496 WerFault.exe 194 4656 1672 WerFault.exe 199 60 1696 WerFault.exe 204 1948 4356 WerFault.exe 209 208 4916 WerFault.exe 214 4380 3008 WerFault.exe 219 3464 4204 WerFault.exe 224 2616 1520 WerFault.exe 229 4900 4100 WerFault.exe 234 4084 3616 WerFault.exe 238 4088 4912 WerFault.exe 244 2364 1616 WerFault.exe 249 1068 1580 WerFault.exe 254 2952 4480 WerFault.exe 259 1284 1492 WerFault.exe 264 2832 4148 WerFault.exe 269 1048 3596 WerFault.exe 274 2520 4576 WerFault.exe 279 4388 4532 WerFault.exe 283 4840 4896 WerFault.exe 289 1132 2380 WerFault.exe 295 4848 3088 WerFault.exe 300 4752 2152 WerFault.exe 305 4440 3456 WerFault.exe 310 1048 3464 WerFault.exe 315 1440 2856 WerFault.exe 321 4340 2020 WerFault.exe 326 1696 4904 WerFault.exe 331 4620 1400 WerFault.exe 336 4420 3472 WerFault.exe 341 1996 4652 WerFault.exe 346 2688 3376 WerFault.exe 351 3248 4204 WerFault.exe 356 3952 1728 WerFault.exe 361 3208 4192 WerFault.exe 366 4912 4944 WerFault.exe 371 1496 3048 WerFault.exe 376 3144 2248 WerFault.exe 381 3080 3836 WerFault.exe 386 4300 1492 WerFault.exe 391 3872 4992 WerFault.exe 396 3268 2616 WerFault.exe 401 316 1532 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEZRQQM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FJIIED.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BQYL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAPSGW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UAQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QYOLNQQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IZDMVQI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KLARBR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FPLN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MANQO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XQGLV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OZC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SHZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OMP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PZM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DZTPD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XBFVCFN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SZK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NMJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZQBH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MCQQX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GBKSU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NCMMUQM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFVFH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FTTSY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KZEZPZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVPQV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UHDS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MDRUBOP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HQTBLK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YJGKVXU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TZMN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CGOEI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 2272 YUB.exe 2272 YUB.exe 3816 RMI.exe 3816 RMI.exe 4592 MANQO.exe 4592 MANQO.exe 3980 MDRUBOP.exe 3980 MDRUBOP.exe 668 YVU.exe 668 YVU.exe 4656 DVCAT.exe 4656 DVCAT.exe 1600 YJGKVXU.exe 1600 YJGKVXU.exe 5092 AHAEBM.exe 5092 AHAEBM.exe 4952 AZI.exe 4952 AZI.exe 4616 NCMMUQM.exe 4616 NCMMUQM.exe 4972 RSTMG.exe 4972 RSTMG.exe 4440 XFSNDDP.exe 4440 XFSNDDP.exe 3248 MICZW.exe 3248 MICZW.exe 3448 OYVTUN.exe 3448 OYVTUN.exe 832 XLFLKJC.exe 832 XLFLKJC.exe 3048 SZK.exe 3048 SZK.exe 1356 YUJVZM.exe 1356 YUJVZM.exe 1492 UAPSGW.exe 1492 UAPSGW.exe 3068 GSKLODP.exe 3068 GSKLODP.exe 1156 VNBPZ.exe 1156 VNBPZ.exe 4496 XLVSGN.exe 4496 XLVSGN.exe 1672 VLCFPH.exe 1672 VLCFPH.exe 1696 PZH.exe 1696 PZH.exe 4356 MENM.exe 4356 MENM.exe 4916 QMUMSJM.exe 4916 QMUMSJM.exe 3008 IPLXONV.exe 3008 IPLXONV.exe 4204 AVVPEKJ.exe 4204 AVVPEKJ.exe 1520 AIW.exe 1520 AIW.exe 4100 WGTTV.exe 4100 WGTTV.exe 3616 AWABZRC.exe 3616 AWABZRC.exe 4912 VJFK.exe 4912 VJFK.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 2272 YUB.exe 2272 YUB.exe 3816 RMI.exe 3816 RMI.exe 4592 MANQO.exe 4592 MANQO.exe 3980 MDRUBOP.exe 3980 MDRUBOP.exe 668 YVU.exe 668 YVU.exe 4656 DVCAT.exe 4656 DVCAT.exe 1600 YJGKVXU.exe 1600 YJGKVXU.exe 5092 AHAEBM.exe 5092 AHAEBM.exe 4952 AZI.exe 4952 AZI.exe 4616 NCMMUQM.exe 4616 NCMMUQM.exe 4972 RSTMG.exe 4972 RSTMG.exe 4440 XFSNDDP.exe 4440 XFSNDDP.exe 3248 MICZW.exe 3248 MICZW.exe 3448 OYVTUN.exe 3448 OYVTUN.exe 832 XLFLKJC.exe 832 XLFLKJC.exe 3048 SZK.exe 3048 SZK.exe 1356 YUJVZM.exe 1356 YUJVZM.exe 1492 UAPSGW.exe 1492 UAPSGW.exe 3068 GSKLODP.exe 3068 GSKLODP.exe 1156 VNBPZ.exe 1156 VNBPZ.exe 4496 XLVSGN.exe 4496 XLVSGN.exe 1672 VLCFPH.exe 1672 VLCFPH.exe 1696 PZH.exe 1696 PZH.exe 4356 MENM.exe 4356 MENM.exe 4916 QMUMSJM.exe 4916 QMUMSJM.exe 3008 IPLXONV.exe 3008 IPLXONV.exe 4204 AVVPEKJ.exe 4204 AVVPEKJ.exe 1520 AIW.exe 1520 AIW.exe 4100 WGTTV.exe 4100 WGTTV.exe 3616 AWABZRC.exe 3616 AWABZRC.exe 4912 VJFK.exe 4912 VJFK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 888 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 82 PID 4964 wrote to memory of 888 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 82 PID 4964 wrote to memory of 888 4964 448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe 82 PID 888 wrote to memory of 2272 888 cmd.exe 86 PID 888 wrote to memory of 2272 888 cmd.exe 86 PID 888 wrote to memory of 2272 888 cmd.exe 86 PID 2272 wrote to memory of 1576 2272 YUB.exe 88 PID 2272 wrote to memory of 1576 2272 YUB.exe 88 PID 2272 wrote to memory of 1576 2272 YUB.exe 88 PID 1576 wrote to memory of 3816 1576 cmd.exe 92 PID 1576 wrote to memory of 3816 1576 cmd.exe 92 PID 1576 wrote to memory of 3816 1576 cmd.exe 92 PID 3816 wrote to memory of 4040 3816 RMI.exe 93 PID 3816 wrote to memory of 4040 3816 RMI.exe 93 PID 3816 wrote to memory of 4040 3816 RMI.exe 93 PID 4040 wrote to memory of 4592 4040 cmd.exe 97 PID 4040 wrote to memory of 4592 4040 cmd.exe 97 PID 4040 wrote to memory of 4592 4040 cmd.exe 97 PID 4592 wrote to memory of 2524 4592 MANQO.exe 98 PID 4592 wrote to memory of 2524 4592 MANQO.exe 98 PID 4592 wrote to memory of 2524 4592 MANQO.exe 98 PID 2524 wrote to memory of 3980 2524 cmd.exe 102 PID 2524 wrote to memory of 3980 2524 cmd.exe 102 PID 2524 wrote to memory of 3980 2524 cmd.exe 102 PID 3980 wrote to memory of 2584 3980 MDRUBOP.exe 103 PID 3980 wrote to memory of 2584 3980 MDRUBOP.exe 103 PID 3980 wrote to memory of 2584 3980 MDRUBOP.exe 103 PID 2584 wrote to memory of 668 2584 cmd.exe 107 PID 2584 wrote to memory of 668 2584 cmd.exe 107 PID 2584 wrote to memory of 668 2584 cmd.exe 107 PID 668 wrote to memory of 748 668 YVU.exe 108 PID 668 wrote to memory of 748 668 YVU.exe 108 PID 668 wrote to memory of 748 668 YVU.exe 108 PID 748 wrote to memory of 4656 748 cmd.exe 112 PID 748 wrote to memory of 4656 748 cmd.exe 112 PID 748 wrote to memory of 4656 748 cmd.exe 112 PID 4656 wrote to memory of 832 4656 DVCAT.exe 113 PID 4656 wrote to memory of 832 4656 DVCAT.exe 113 PID 4656 wrote to memory of 832 4656 DVCAT.exe 113 PID 832 wrote to memory of 1600 832 cmd.exe 117 PID 832 wrote to memory of 1600 832 cmd.exe 117 PID 832 wrote to memory of 1600 832 cmd.exe 117 PID 1600 wrote to memory of 4884 1600 YJGKVXU.exe 120 PID 1600 wrote to memory of 4884 1600 YJGKVXU.exe 120 PID 1600 wrote to memory of 4884 1600 YJGKVXU.exe 120 PID 4884 wrote to memory of 5092 4884 cmd.exe 124 PID 4884 wrote to memory of 5092 4884 cmd.exe 124 PID 4884 wrote to memory of 5092 4884 cmd.exe 124 PID 5092 wrote to memory of 2380 5092 AHAEBM.exe 126 PID 5092 wrote to memory of 2380 5092 AHAEBM.exe 126 PID 5092 wrote to memory of 2380 5092 AHAEBM.exe 126 PID 2380 wrote to memory of 4952 2380 cmd.exe 131 PID 2380 wrote to memory of 4952 2380 cmd.exe 131 PID 2380 wrote to memory of 4952 2380 cmd.exe 131 PID 4952 wrote to memory of 4964 4952 AZI.exe 132 PID 4952 wrote to memory of 4964 4952 AZI.exe 132 PID 4952 wrote to memory of 4964 4952 AZI.exe 132 PID 4964 wrote to memory of 4616 4964 cmd.exe 135 PID 4964 wrote to memory of 4616 4964 cmd.exe 135 PID 4964 wrote to memory of 4616 4964 cmd.exe 135 PID 4616 wrote to memory of 4288 4616 NCMMUQM.exe 137 PID 4616 wrote to memory of 4288 4616 NCMMUQM.exe 137 PID 4616 wrote to memory of 4288 4616 NCMMUQM.exe 137 PID 4288 wrote to memory of 4972 4288 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe"C:\Users\Admin\AppData\Local\Temp\448cb9f3d19008485974111a04720210c67b912485a76f689b7b5c8f50ff76a2N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YUB.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\windows\system\YUB.exeC:\windows\system\YUB.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMI.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\windows\system\RMI.exeC:\windows\system\RMI.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MANQO.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\windows\MANQO.exeC:\windows\MANQO.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MDRUBOP.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\windows\SysWOW64\MDRUBOP.exeC:\windows\system32\MDRUBOP.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YVU.exe.bat" "10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\windows\YVU.exeC:\windows\YVU.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DVCAT.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\windows\system\DVCAT.exeC:\windows\system\DVCAT.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YJGKVXU.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\windows\system\YJGKVXU.exeC:\windows\system\YJGKVXU.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AHAEBM.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\windows\AHAEBM.exeC:\windows\AHAEBM.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AZI.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\windows\system\AZI.exeC:\windows\system\AZI.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NCMMUQM.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\windows\NCMMUQM.exeC:\windows\NCMMUQM.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RSTMG.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\windows\SysWOW64\RSTMG.exeC:\windows\system32\RSTMG.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XFSNDDP.exe.bat" "24⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\windows\XFSNDDP.exeC:\windows\XFSNDDP.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MICZW.exe.bat" "26⤵PID:1740
-
C:\windows\SysWOW64\MICZW.exeC:\windows\system32\MICZW.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OYVTUN.exe.bat" "28⤵PID:2020
-
C:\windows\system\OYVTUN.exeC:\windows\system\OYVTUN.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLFLKJC.exe.bat" "30⤵PID:1672
-
C:\windows\SysWOW64\XLFLKJC.exeC:\windows\system32\XLFLKJC.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SZK.exe.bat" "32⤵PID:3208
-
C:\windows\system\SZK.exeC:\windows\system\SZK.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YUJVZM.exe.bat" "34⤵PID:3604
-
C:\windows\YUJVZM.exeC:\windows\YUJVZM.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UAPSGW.exe.bat" "36⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\windows\SysWOW64\UAPSGW.exeC:\windows\system32\UAPSGW.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GSKLODP.exe.bat" "38⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\windows\SysWOW64\GSKLODP.exeC:\windows\system32\GSKLODP.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VNBPZ.exe.bat" "40⤵PID:2316
-
C:\windows\SysWOW64\VNBPZ.exeC:\windows\system32\VNBPZ.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLVSGN.exe.bat" "42⤵PID:688
-
C:\windows\SysWOW64\XLVSGN.exeC:\windows\system32\XLVSGN.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VLCFPH.exe.bat" "44⤵PID:404
-
C:\windows\SysWOW64\VLCFPH.exeC:\windows\system32\VLCFPH.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PZH.exe.bat" "46⤵PID:4108
-
C:\windows\PZH.exeC:\windows\PZH.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MENM.exe.bat" "48⤵PID:316
-
C:\windows\SysWOW64\MENM.exeC:\windows\system32\MENM.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QMUMSJM.exe.bat" "50⤵PID:4840
-
C:\windows\SysWOW64\QMUMSJM.exeC:\windows\system32\QMUMSJM.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPLXONV.exe.bat" "52⤵PID:4952
-
C:\windows\SysWOW64\IPLXONV.exeC:\windows\system32\IPLXONV.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AVVPEKJ.exe.bat" "54⤵PID:4976
-
C:\windows\AVVPEKJ.exeC:\windows\AVVPEKJ.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AIW.exe.bat" "56⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\windows\AIW.exeC:\windows\AIW.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WGTTV.exe.bat" "58⤵PID:4440
-
C:\windows\SysWOW64\WGTTV.exeC:\windows\system32\WGTTV.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AWABZRC.exe.bat" "60⤵PID:3668
-
C:\windows\SysWOW64\AWABZRC.exeC:\windows\system32\AWABZRC.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VJFK.exe.bat" "62⤵PID:1916
-
C:\windows\SysWOW64\VJFK.exeC:\windows\system32\VJFK.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZMN.exe.bat" "64⤵PID:4340
-
C:\windows\SysWOW64\TZMN.exeC:\windows\system32\TZMN.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TNMC.exe.bat" "66⤵PID:2912
-
C:\windows\SysWOW64\TNMC.exeC:\windows\system32\TNMC.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZNLPGSK.exe.bat" "68⤵PID:1496
-
C:\windows\SysWOW64\ZNLPGSK.exeC:\windows\system32\ZNLPGSK.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UAQ.exe.bat" "70⤵PID:1176
-
C:\windows\UAQ.exeC:\windows\UAQ.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTTSY.exe.bat" "72⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\windows\SysWOW64\FTTSY.exeC:\windows\system32\FTTSY.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZGYBJZ.exe.bat" "74⤵PID:1796
-
C:\windows\system\ZGYBJZ.exeC:\windows\system\ZGYBJZ.exe75⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WME.exe.bat" "76⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\windows\WME.exeC:\windows\WME.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HEZRQQM.exe.bat" "78⤵PID:4956
-
C:\windows\HEZRQQM.exeC:\windows\HEZRQQM.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TXC.exe.bat" "80⤵PID:404
-
C:\windows\TXC.exeC:\windows\TXC.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RMNFTCJ.exe.bat" "82⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\windows\system\RMNFTCJ.exeC:\windows\system\RMNFTCJ.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TKO.exe.bat" "84⤵PID:4620
-
C:\windows\system\TKO.exeC:\windows\system\TKO.exe85⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PSJPUY.exe.bat" "86⤵
- System Location Discovery: System Language Discovery
PID:4652 -
C:\windows\SysWOW64\PSJPUY.exeC:\windows\system32\PSJPUY.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GGTH.exe.bat" "88⤵PID:5008
-
C:\windows\SysWOW64\GGTH.exeC:\windows\system32\GGTH.exe89⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\POVMO.exe.bat" "90⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\windows\system\POVMO.exeC:\windows\system\POVMO.exe91⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TWCUAKZ.exe.bat" "92⤵PID:3556
-
C:\windows\TWCUAKZ.exeC:\windows\TWCUAKZ.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BCC.exe.bat" "94⤵PID:4496
-
C:\windows\SysWOW64\BCC.exeC:\windows\system32\BCC.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXHSM.exe.bat" "96⤵PID:1064
-
C:\windows\WXHSM.exeC:\windows\WXHSM.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AFNS.exe.bat" "98⤵PID:3196
-
C:\windows\SysWOW64\AFNS.exeC:\windows\system32\AFNS.exe99⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GFVFH.exe.bat" "100⤵PID:2692
-
C:\windows\SysWOW64\GFVFH.exeC:\windows\system32\GFVFH.exe101⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RYYYPZ.exe.bat" "102⤵PID:436
-
C:\windows\RYYYPZ.exeC:\windows\RYYYPZ.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ODW.exe.bat" "104⤵PID:64
-
C:\windows\SysWOW64\ODW.exeC:\windows\system32\ODW.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZWZG.exe.bat" "106⤵PID:2036
-
C:\windows\ZWZG.exeC:\windows\ZWZG.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ORISQ.exe.bat" "108⤵PID:4808
-
C:\windows\ORISQ.exeC:\windows\ORISQ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OXIHRQI.exe.bat" "110⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\windows\OXIHRQI.exeC:\windows\OXIHRQI.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZPDAZXX.exe.bat" "112⤵PID:2856
-
C:\windows\ZPDAZXX.exeC:\windows\ZPDAZXX.exe113⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FPLN.exe.bat" "114⤵PID:4920
-
C:\windows\system\FPLN.exeC:\windows\system\FPLN.exe115⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OYNTU.exe.bat" "116⤵PID:4904
-
C:\windows\OYNTU.exeC:\windows\OYNTU.exe117⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JLSCWXP.exe.bat" "118⤵PID:1400
-
C:\windows\system\JLSCWXP.exeC:\windows\system\JLSCWXP.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IBLFRCX.exe.bat" "120⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\windows\system\IBLFRCX.exeC:\windows\system\IBLFRCX.exe121⤵
- Executes dropped EXE
PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-