Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe
-
Size
208KB
-
MD5
76041d013ec747c05b3f72abfd684d4d
-
SHA1
384034d91f56f43cc5e3b6b73a49d10984cd2953
-
SHA256
4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434
-
SHA512
d7cdd83877923166da311e07b38e8aa3733d8ea93aacf05cdcd11e23ec2590a691690355a3d847daa6e863c3415802507a197f63cef0896d393aa935c6af085b
-
SSDEEP
3072:TYAamQZjGqd4l65adudBqd9H/7dA1MFIgrUi706oM1r6J6Kju4NLthEjQT6+:TYAamQgqew89igPA6JRyuQEjM
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RVHAOC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OCRJY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WGNN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation KVYF.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OOGA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NHLX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ERNMRQQ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GBNN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CYXQXO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GSFDHFM.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RAN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QZUMDI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CTCHPK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XIWTW.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DIDHFCA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OMP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SSA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JKI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EWD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ECDR.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ICUPUV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PMXWUT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation NHQU.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IBQCV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JJMC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LTEMSIE.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation PICGJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QCUDH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GGHAHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SME.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QWXMMS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WHRRBN.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation QUTRO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JRXZFHW.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EOSGRCT.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ABMJJJW.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ORC.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SJEUTH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation AWHY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UJLHOS.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WXNOQY.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation XZL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JNASNA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UYGB.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JOUWMAH.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GHK.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZKYTFR.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YGD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation HXCFD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation JQXKG.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation EJCQX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation GFA.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation IMX.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation MUEUL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LUOVVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RUWRMTV.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SQBWL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation YBP.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation FFL.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation TMKDPD.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation OZO.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RJI.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation FIENY.exe -
Executes dropped EXE 64 IoCs
pid Process 1344 KGRS.exe 3564 SME.exe 4528 ORC.exe 932 OXCK.exe 496 JKHUXO.exe 2400 CLOFGP.exe 3172 NDRXPXE.exe 824 TDZL.exe 2864 TJZAH.exe 2520 ZJGNQGK.exe 3712 JKI.exe 3416 EURRIO.exe 4516 KVYF.exe 1152 EIDOBI.exe 2604 GGWIIF.exe 2356 QGYNLDI.exe 1728 RJI.exe 2120 OOGA.exe 1548 GSFDHFM.exe 2292 VPDA.exe 4320 MCOKE.exe 1572 HQSCOL.exe 856 JOUWMAH.exe 2184 UGP.exe 1984 JBGTGC.exe 4156 EWD.exe 2540 ECDR.exe 4448 GPIIC.exe 4768 OKR.exe 3852 WYRB.exe 2364 QLWKZG.exe 4932 QWXMMS.exe 8 YJXSOXN.exe 3476 CREA.exe 4856 GHK.exe 4108 RAN.exe 4788 MNSD.exe 3832 GBXMHP.exe 4072 SJEUTH.exe 2068 QJLICC.exe 5096 WEKI.exe 2476 TKQ.exe 3340 ZKYTFR.exe 1960 KDTMFYF.exe 4384 VVW.exe 3544 OYABT.exe 1780 DTJ.exe 4900 OMMY.exe 1352 WWVZ.exe 2940 NHLX.exe 784 CKVBTJF.exe 1852 EAW.exe 4452 KADJA.exe 3852 TJFWMF.exe 2428 OWC.exe 832 DRUKHS.exe 1984 XMY.exe 1532 XSRI.exe 4720 YVUMYUO.exe 2204 YGD.exe 4924 EGLTV.exe 2320 MLLHWO.exe 436 KMSVNI.exe 4904 SRLJ.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\RTLAB.exe LTEMSIE.exe File created C:\windows\SysWOW64\RTLAB.exe.bat LTEMSIE.exe File opened for modification C:\windows\SysWOW64\SRHH.exe SLP.exe File opened for modification C:\windows\SysWOW64\WGNN.exe FFL.exe File opened for modification C:\windows\SysWOW64\ABMJJJW.exe GGHAHJ.exe File opened for modification C:\windows\SysWOW64\SRLJ.exe KMSVNI.exe File created C:\windows\SysWOW64\MQCDP.exe.bat BYZK.exe File created C:\windows\SysWOW64\GHK.exe CREA.exe File created C:\windows\SysWOW64\SRHH.exe.bat SLP.exe File created C:\windows\SysWOW64\GBNN.exe PWCVTK.exe File created C:\windows\SysWOW64\TJZAH.exe TDZL.exe File created C:\windows\SysWOW64\WYRB.exe OKR.exe File created C:\windows\SysWOW64\EGLTV.exe YGD.exe File created C:\windows\SysWOW64\RTLAB.exe LTEMSIE.exe File created C:\windows\SysWOW64\TJZAH.exe.bat TDZL.exe File created C:\windows\SysWOW64\GHK.exe.bat CREA.exe File created C:\windows\SysWOW64\JVK.exe.bat JQKNKAD.exe File created C:\windows\SysWOW64\CYXQXO.exe.bat AAEOZ.exe File created C:\windows\SysWOW64\EGLTV.exe.bat YGD.exe File created C:\windows\SysWOW64\ILIFSU.exe DIDHFCA.exe File created C:\windows\SysWOW64\WGNN.exe FFL.exe File created C:\windows\SysWOW64\HQSCOL.exe MCOKE.exe File created C:\windows\SysWOW64\EAW.exe CKVBTJF.exe File created C:\windows\SysWOW64\UONU.exe.bat JVK.exe File opened for modification C:\windows\SysWOW64\ICUPUV.exe NPPF.exe File created C:\windows\SysWOW64\HNTETQ.exe.bat ICUPUV.exe File created C:\windows\SysWOW64\DBF.exe.bat JNASNA.exe File created C:\windows\SysWOW64\OOGA.exe RJI.exe File opened for modification C:\windows\SysWOW64\EAW.exe CKVBTJF.exe File created C:\windows\SysWOW64\KLBOUBH.exe.bat JQXKG.exe File opened for modification C:\windows\SysWOW64\OHICHYY.exe EGGX.exe File opened for modification C:\windows\SysWOW64\AAEOZ.exe QVTW.exe File opened for modification C:\windows\SysWOW64\OKR.exe GPIIC.exe File opened for modification C:\windows\SysWOW64\MQCDP.exe BYZK.exe File created C:\windows\SysWOW64\MLLRY.exe HKDEPZV.exe File created C:\windows\SysWOW64\ABMJJJW.exe.bat GGHAHJ.exe File created C:\windows\SysWOW64\VJIDTHL.exe JQFKLA.exe File created C:\windows\SysWOW64\WYRB.exe.bat OKR.exe File created C:\windows\SysWOW64\DRUKHS.exe OWC.exe File opened for modification C:\windows\SysWOW64\QJLICC.exe SJEUTH.exe File created C:\windows\SysWOW64\OYABT.exe.bat VVW.exe File created C:\windows\SysWOW64\SRLJ.exe KMSVNI.exe File created C:\windows\SysWOW64\OJNAPM.exe OZEZBH.exe File created C:\windows\SysWOW64\ZFV.exe ZVUUYI.exe File created C:\windows\SysWOW64\ABMJJJW.exe GGHAHJ.exe File opened for modification C:\windows\SysWOW64\ECDR.exe EWD.exe File opened for modification C:\windows\SysWOW64\GHK.exe CREA.exe File created C:\windows\SysWOW64\GBNN.exe.bat PWCVTK.exe File opened for modification C:\windows\SysWOW64\EGLTV.exe YGD.exe File created C:\windows\SysWOW64\RUWRMTV.exe.bat LUOVVZ.exe File opened for modification C:\windows\SysWOW64\ZJGNQGK.exe TJZAH.exe File opened for modification C:\windows\SysWOW64\RAN.exe GHK.exe File created C:\windows\SysWOW64\RAN.exe.bat GHK.exe File created C:\windows\SysWOW64\KDTMFYF.exe ZKYTFR.exe File created C:\windows\SysWOW64\LUOVVZ.exe.bat LOOPTM.exe File created C:\windows\SysWOW64\CTCHPK.exe.bat RAZOH.exe File created C:\windows\SysWOW64\XZL.exe DMGSKR.exe File created C:\windows\SysWOW64\NDRXPXE.exe CLOFGP.exe File created C:\windows\SysWOW64\OKR.exe GPIIC.exe File created C:\windows\SysWOW64\OSWI.exe MCUOF.exe File opened for modification C:\windows\SysWOW64\UJLHOS.exe AWHY.exe File created C:\windows\SysWOW64\RUWRMTV.exe LUOVVZ.exe File opened for modification C:\windows\SysWOW64\OSWI.exe MCUOF.exe File opened for modification C:\windows\SysWOW64\GBNN.exe PWCVTK.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\KGRS.exe.bat 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe File opened for modification C:\windows\system\FIENY.exe BSXFM.exe File created C:\windows\BRJUMD.exe.bat MWZ.exe File opened for modification C:\windows\system\EYAWBQB.exe JLVNQ.exe File created C:\windows\UAEINL.exe.bat MUEUL.exe File created C:\windows\JKHUXO.exe OXCK.exe File created C:\windows\BSXFM.exe QZUMDI.exe File opened for modification C:\windows\XHFCD.exe RHY.exe File created C:\windows\SLP.exe.bat MLIFWK.exe File created C:\windows\system\PJPSM.exe.bat GBNN.exe File opened for modification C:\windows\system\LTEMSIE.exe CTCHPK.exe File created C:\windows\system\JNASNA.exe OSWI.exe File created C:\windows\CLOFGP.exe JKHUXO.exe File created C:\windows\VPDA.exe GSFDHFM.exe File created C:\windows\system\OWC.exe TJFWMF.exe File created C:\windows\JZP.exe FRJUXU.exe File created C:\windows\BFW.exe ZJRXQKE.exe File opened for modification C:\windows\ZWHZHFC.exe EJCQX.exe File created C:\windows\system\WHRRBN.exe SRLJ.exe File created C:\windows\OCRJY.exe.bat RWMMJ.exe File opened for modification C:\windows\system\MCUOF.exe XZL.exe File created C:\windows\system\GFA.exe.bat VNF.exe File created C:\windows\system\JQFKLA.exe CYXQXO.exe File created C:\windows\system\FFL.exe QCUDH.exe File opened for modification C:\windows\system\JLVNQ.exe UQMAXDE.exe File created C:\windows\system\PJPSM.exe GBNN.exe File created C:\windows\system\EXP.exe.bat ZWHZHFC.exe File created C:\windows\SSWI.exe WMQL.exe File opened for modification C:\windows\system\OZEZBH.exe MBLEC.exe File created C:\windows\OXCK.exe ORC.exe File created C:\windows\EWD.exe JBGTGC.exe File opened for modification C:\windows\QWXMMS.exe QLWKZG.exe File created C:\windows\YVUMYUO.exe.bat XSRI.exe File created C:\windows\system\UYGB.exe.bat HNK.exe File opened for modification C:\windows\system\PJPSM.exe GBNN.exe File created C:\windows\WWVZ.exe OMMY.exe File opened for modification C:\windows\AWHY.exe MLLRY.exe File opened for modification C:\windows\FRJUXU.exe UYGB.exe File created C:\windows\ZBSHZLC.exe.bat IBQCV.exe File created C:\windows\EURRIO.exe JKI.exe File created C:\windows\system\QGYNLDI.exe.bat GGWIIF.exe File created C:\windows\system\OMP.exe.bat ILIFSU.exe File created C:\windows\IPIJABL.exe NBDAQ.exe File created C:\windows\system\NHQU.exe YRPVXM.exe File created C:\windows\ZJRXQKE.exe PJPSM.exe File opened for modification C:\windows\JQHR.exe OFRSUE.exe File created C:\windows\TDZL.exe NDRXPXE.exe File created C:\windows\JKI.exe.bat ZJGNQGK.exe File opened for modification C:\windows\RJI.exe QGYNLDI.exe File created C:\windows\system\CQZO.exe CLZ.exe File created C:\windows\CCIYP.exe NHQU.exe File created C:\windows\system\DIDHFCA.exe XIWTW.exe File created C:\windows\QUZWSEY.exe.bat VHUFI.exe File created C:\windows\system\IBQCV.exe ZOGKGRM.exe File created C:\windows\OFRSUE.exe EXP.exe File opened for modification C:\windows\RVHAOC.exe BAX.exe File created C:\windows\WEKI.exe.bat QJLICC.exe File created C:\windows\system\UYGB.exe HNK.exe File created C:\windows\ZJRXQKE.exe.bat PJPSM.exe File created C:\windows\GPIIC.exe ECDR.exe File created C:\windows\SJEUTH.exe.bat GBXMHP.exe File created C:\windows\system\FBFPV.exe.bat RVHAOC.exe File created C:\windows\system\XQMIZUW.exe.bat CCIYP.exe File created C:\windows\JQHR.exe OFRSUE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 936 1064 WerFault.exe 81 3064 1344 WerFault.exe 86 4772 3564 WerFault.exe 92 1436 4528 WerFault.exe 97 3988 932 WerFault.exe 102 3872 496 WerFault.exe 107 4636 2400 WerFault.exe 112 1700 3172 WerFault.exe 117 4968 824 WerFault.exe 122 548 2864 WerFault.exe 126 2780 2520 WerFault.exe 132 2956 3712 WerFault.exe 137 2476 3416 WerFault.exe 141 4728 4516 WerFault.exe 147 2200 1152 WerFault.exe 152 3088 2604 WerFault.exe 157 2652 2356 WerFault.exe 162 2072 1728 WerFault.exe 169 2744 2120 WerFault.exe 175 1492 1548 WerFault.exe 181 2276 2292 WerFault.exe 186 4972 4320 WerFault.exe 191 2156 1572 WerFault.exe 196 1736 856 WerFault.exe 202 432 2184 WerFault.exe 207 2776 1984 WerFault.exe 212 5104 4156 WerFault.exe 216 3864 2540 WerFault.exe 224 4012 4448 WerFault.exe 229 1076 4768 WerFault.exe 233 3052 3852 WerFault.exe 239 2500 2364 WerFault.exe 243 824 4932 WerFault.exe 249 1160 8 WerFault.exe 254 1408 3476 WerFault.exe 259 1672 4856 WerFault.exe 264 4972 4108 WerFault.exe 269 1264 4788 WerFault.exe 274 2692 3832 WerFault.exe 279 1952 4072 WerFault.exe 284 3456 2068 WerFault.exe 289 556 5096 WerFault.exe 295 2540 2476 WerFault.exe 300 3480 3340 WerFault.exe 305 3756 1960 WerFault.exe 310 3948 4384 WerFault.exe 315 2184 3544 WerFault.exe 321 4548 1780 WerFault.exe 326 2864 4900 WerFault.exe 331 2304 1352 WerFault.exe 336 2292 2940 WerFault.exe 341 2740 784 WerFault.exe 346 4924 1852 WerFault.exe 350 2320 4452 WerFault.exe 356 1956 3852 WerFault.exe 361 1148 2428 WerFault.exe 366 3196 832 WerFault.exe 371 2304 1984 WerFault.exe 376 1240 1532 WerFault.exe 381 4972 4720 WerFault.exe 386 1812 2204 WerFault.exe 391 4276 4924 WerFault.exe 396 644 2320 WerFault.exe 401 4812 436 WerFault.exe 406 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KVYF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JKI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GHK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KDTMFYF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMSVNI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CYXQXO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLOFGP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MCOKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IPIJABL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVHAOC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EOSGRCT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZJRXQKE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OOGA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UONU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MQCDP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OMP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OZO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YBP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OKR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GBNN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDRXPXE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LHQBLE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GGHAHJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SME.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ILIFSU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QWXMMS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YWFLJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOOPTM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MUEUL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 1344 KGRS.exe 1344 KGRS.exe 3564 SME.exe 3564 SME.exe 4528 ORC.exe 4528 ORC.exe 932 OXCK.exe 932 OXCK.exe 496 JKHUXO.exe 496 JKHUXO.exe 2400 CLOFGP.exe 2400 CLOFGP.exe 3172 NDRXPXE.exe 3172 NDRXPXE.exe 824 TDZL.exe 824 TDZL.exe 2864 TJZAH.exe 2864 TJZAH.exe 2520 ZJGNQGK.exe 2520 ZJGNQGK.exe 3712 JKI.exe 3712 JKI.exe 3416 EURRIO.exe 3416 EURRIO.exe 4516 KVYF.exe 4516 KVYF.exe 1152 EIDOBI.exe 1152 EIDOBI.exe 2604 GGWIIF.exe 2604 GGWIIF.exe 2356 QGYNLDI.exe 2356 QGYNLDI.exe 1728 RJI.exe 1728 RJI.exe 2120 OOGA.exe 2120 OOGA.exe 1548 GSFDHFM.exe 1548 GSFDHFM.exe 2292 VPDA.exe 2292 VPDA.exe 4320 MCOKE.exe 4320 MCOKE.exe 1572 HQSCOL.exe 1572 HQSCOL.exe 856 JOUWMAH.exe 856 JOUWMAH.exe 2184 UGP.exe 2184 UGP.exe 1984 JBGTGC.exe 1984 JBGTGC.exe 4156 EWD.exe 4156 EWD.exe 2540 ECDR.exe 2540 ECDR.exe 4448 GPIIC.exe 4448 GPIIC.exe 4768 OKR.exe 4768 OKR.exe 3852 WYRB.exe 3852 WYRB.exe 2364 QLWKZG.exe 2364 QLWKZG.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 1344 KGRS.exe 1344 KGRS.exe 3564 SME.exe 3564 SME.exe 4528 ORC.exe 4528 ORC.exe 932 OXCK.exe 932 OXCK.exe 496 JKHUXO.exe 496 JKHUXO.exe 2400 CLOFGP.exe 2400 CLOFGP.exe 3172 NDRXPXE.exe 3172 NDRXPXE.exe 824 TDZL.exe 824 TDZL.exe 2864 TJZAH.exe 2864 TJZAH.exe 2520 ZJGNQGK.exe 2520 ZJGNQGK.exe 3712 JKI.exe 3712 JKI.exe 3416 EURRIO.exe 3416 EURRIO.exe 4516 KVYF.exe 4516 KVYF.exe 1152 EIDOBI.exe 1152 EIDOBI.exe 2604 GGWIIF.exe 2604 GGWIIF.exe 2356 QGYNLDI.exe 2356 QGYNLDI.exe 1728 RJI.exe 1728 RJI.exe 2120 OOGA.exe 2120 OOGA.exe 1548 GSFDHFM.exe 1548 GSFDHFM.exe 2292 VPDA.exe 2292 VPDA.exe 4320 MCOKE.exe 4320 MCOKE.exe 1572 HQSCOL.exe 1572 HQSCOL.exe 856 JOUWMAH.exe 856 JOUWMAH.exe 2184 UGP.exe 2184 UGP.exe 1984 JBGTGC.exe 1984 JBGTGC.exe 4156 EWD.exe 4156 EWD.exe 2540 ECDR.exe 2540 ECDR.exe 4448 GPIIC.exe 4448 GPIIC.exe 4768 OKR.exe 4768 OKR.exe 3852 WYRB.exe 3852 WYRB.exe 2364 QLWKZG.exe 2364 QLWKZG.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3028 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 82 PID 1064 wrote to memory of 3028 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 82 PID 1064 wrote to memory of 3028 1064 4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe 82 PID 3028 wrote to memory of 1344 3028 cmd.exe 86 PID 3028 wrote to memory of 1344 3028 cmd.exe 86 PID 3028 wrote to memory of 1344 3028 cmd.exe 86 PID 1344 wrote to memory of 1192 1344 KGRS.exe 88 PID 1344 wrote to memory of 1192 1344 KGRS.exe 88 PID 1344 wrote to memory of 1192 1344 KGRS.exe 88 PID 1192 wrote to memory of 3564 1192 cmd.exe 92 PID 1192 wrote to memory of 3564 1192 cmd.exe 92 PID 1192 wrote to memory of 3564 1192 cmd.exe 92 PID 3564 wrote to memory of 3056 3564 SME.exe 93 PID 3564 wrote to memory of 3056 3564 SME.exe 93 PID 3564 wrote to memory of 3056 3564 SME.exe 93 PID 3056 wrote to memory of 4528 3056 cmd.exe 97 PID 3056 wrote to memory of 4528 3056 cmd.exe 97 PID 3056 wrote to memory of 4528 3056 cmd.exe 97 PID 4528 wrote to memory of 3160 4528 ORC.exe 98 PID 4528 wrote to memory of 3160 4528 ORC.exe 98 PID 4528 wrote to memory of 3160 4528 ORC.exe 98 PID 3160 wrote to memory of 932 3160 cmd.exe 102 PID 3160 wrote to memory of 932 3160 cmd.exe 102 PID 3160 wrote to memory of 932 3160 cmd.exe 102 PID 932 wrote to memory of 2464 932 OXCK.exe 103 PID 932 wrote to memory of 2464 932 OXCK.exe 103 PID 932 wrote to memory of 2464 932 OXCK.exe 103 PID 2464 wrote to memory of 496 2464 cmd.exe 107 PID 2464 wrote to memory of 496 2464 cmd.exe 107 PID 2464 wrote to memory of 496 2464 cmd.exe 107 PID 496 wrote to memory of 2200 496 JKHUXO.exe 108 PID 496 wrote to memory of 2200 496 JKHUXO.exe 108 PID 496 wrote to memory of 2200 496 JKHUXO.exe 108 PID 2200 wrote to memory of 2400 2200 cmd.exe 112 PID 2200 wrote to memory of 2400 2200 cmd.exe 112 PID 2200 wrote to memory of 2400 2200 cmd.exe 112 PID 2400 wrote to memory of 712 2400 CLOFGP.exe 113 PID 2400 wrote to memory of 712 2400 CLOFGP.exe 113 PID 2400 wrote to memory of 712 2400 CLOFGP.exe 113 PID 712 wrote to memory of 3172 712 cmd.exe 117 PID 712 wrote to memory of 3172 712 cmd.exe 117 PID 712 wrote to memory of 3172 712 cmd.exe 117 PID 3172 wrote to memory of 3920 3172 NDRXPXE.exe 118 PID 3172 wrote to memory of 3920 3172 NDRXPXE.exe 118 PID 3172 wrote to memory of 3920 3172 NDRXPXE.exe 118 PID 3920 wrote to memory of 824 3920 cmd.exe 122 PID 3920 wrote to memory of 824 3920 cmd.exe 122 PID 3920 wrote to memory of 824 3920 cmd.exe 122 PID 824 wrote to memory of 3128 824 TDZL.exe 123 PID 824 wrote to memory of 3128 824 TDZL.exe 123 PID 824 wrote to memory of 3128 824 TDZL.exe 123 PID 3128 wrote to memory of 2864 3128 cmd.exe 126 PID 3128 wrote to memory of 2864 3128 cmd.exe 126 PID 3128 wrote to memory of 2864 3128 cmd.exe 126 PID 2864 wrote to memory of 4440 2864 TJZAH.exe 128 PID 2864 wrote to memory of 4440 2864 TJZAH.exe 128 PID 2864 wrote to memory of 4440 2864 TJZAH.exe 128 PID 4440 wrote to memory of 2520 4440 cmd.exe 132 PID 4440 wrote to memory of 2520 4440 cmd.exe 132 PID 4440 wrote to memory of 2520 4440 cmd.exe 132 PID 2520 wrote to memory of 1832 2520 ZJGNQGK.exe 133 PID 2520 wrote to memory of 1832 2520 ZJGNQGK.exe 133 PID 2520 wrote to memory of 1832 2520 ZJGNQGK.exe 133 PID 1832 wrote to memory of 3712 1832 cmd.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe"C:\Users\Admin\AppData\Local\Temp\4d03aea510372b517fbce63b41279d2f1ef624a2b3c38678b3e09c6f459ac434.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KGRS.exe.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\windows\KGRS.exeC:\windows\KGRS.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SME.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\windows\system\SME.exeC:\windows\system\SME.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ORC.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\windows\SysWOW64\ORC.exeC:\windows\system32\ORC.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OXCK.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\windows\OXCK.exeC:\windows\OXCK.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKHUXO.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\windows\JKHUXO.exeC:\windows\JKHUXO.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CLOFGP.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\windows\CLOFGP.exeC:\windows\CLOFGP.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NDRXPXE.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\windows\SysWOW64\NDRXPXE.exeC:\windows\system32\NDRXPXE.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TDZL.exe.bat" "16⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\windows\TDZL.exeC:\windows\TDZL.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TJZAH.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\windows\SysWOW64\TJZAH.exeC:\windows\system32\TJZAH.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZJGNQGK.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\windows\SysWOW64\ZJGNQGK.exeC:\windows\system32\ZJGNQGK.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKI.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\windows\JKI.exeC:\windows\JKI.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EURRIO.exe.bat" "24⤵PID:4924
-
C:\windows\EURRIO.exeC:\windows\EURRIO.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KVYF.exe.bat" "26⤵PID:1388
-
C:\windows\SysWOW64\KVYF.exeC:\windows\system32\KVYF.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EIDOBI.exe.bat" "28⤵PID:4240
-
C:\windows\system\EIDOBI.exeC:\windows\system\EIDOBI.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GGWIIF.exe.bat" "30⤵PID:1536
-
C:\windows\SysWOW64\GGWIIF.exeC:\windows\system32\GGWIIF.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QGYNLDI.exe.bat" "32⤵PID:1148
-
C:\windows\system\QGYNLDI.exeC:\windows\system\QGYNLDI.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RJI.exe.bat" "34⤵PID:1588
-
C:\windows\RJI.exeC:\windows\RJI.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OOGA.exe.bat" "36⤵PID:4548
-
C:\windows\SysWOW64\OOGA.exeC:\windows\system32\OOGA.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GSFDHFM.exe.bat" "38⤵PID:1192
-
C:\windows\GSFDHFM.exeC:\windows\GSFDHFM.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VPDA.exe.bat" "40⤵PID:2052
-
C:\windows\VPDA.exeC:\windows\VPDA.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MCOKE.exe.bat" "42⤵PID:3500
-
C:\windows\system\MCOKE.exeC:\windows\system\MCOKE.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HQSCOL.exe.bat" "44⤵PID:3044
-
C:\windows\SysWOW64\HQSCOL.exeC:\windows\system32\HQSCOL.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOUWMAH.exe.bat" "46⤵PID:3812
-
C:\windows\SysWOW64\JOUWMAH.exeC:\windows\system32\JOUWMAH.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UGP.exe.bat" "48⤵PID:4172
-
C:\windows\UGP.exeC:\windows\UGP.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JBGTGC.exe.bat" "50⤵PID:4932
-
C:\windows\system\JBGTGC.exeC:\windows\system\JBGTGC.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EWD.exe.bat" "52⤵PID:2248
-
C:\windows\EWD.exeC:\windows\EWD.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ECDR.exe.bat" "54⤵PID:1160
-
C:\windows\SysWOW64\ECDR.exeC:\windows\system32\ECDR.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GPIIC.exe.bat" "56⤵PID:2228
-
C:\windows\GPIIC.exeC:\windows\GPIIC.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OKR.exe.bat" "58⤵PID:3420
-
C:\windows\SysWOW64\OKR.exeC:\windows\system32\OKR.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WYRB.exe.bat" "60⤵PID:3768
-
C:\windows\SysWOW64\WYRB.exeC:\windows\system32\WYRB.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QLWKZG.exe.bat" "62⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\windows\SysWOW64\QLWKZG.exeC:\windows\system32\QLWKZG.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QWXMMS.exe.bat" "64⤵PID:3068
-
C:\windows\QWXMMS.exeC:\windows\QWXMMS.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YJXSOXN.exe.bat" "66⤵PID:4264
-
C:\windows\system\YJXSOXN.exeC:\windows\system\YJXSOXN.exe67⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CREA.exe.bat" "68⤵PID:228
-
C:\windows\SysWOW64\CREA.exeC:\windows\system32\CREA.exe69⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GHK.exe.bat" "70⤵PID:1756
-
C:\windows\SysWOW64\GHK.exeC:\windows\system32\GHK.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAN.exe.bat" "72⤵PID:2180
-
C:\windows\SysWOW64\RAN.exeC:\windows\system32\RAN.exe73⤵
- Checks computer location settings
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNSD.exe.bat" "74⤵PID:1852
-
C:\windows\MNSD.exeC:\windows\MNSD.exe75⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "76⤵PID:2872
-
C:\windows\system\GBXMHP.exeC:\windows\system\GBXMHP.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SJEUTH.exe.bat" "78⤵PID:1844
-
C:\windows\SJEUTH.exeC:\windows\SJEUTH.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QJLICC.exe.bat" "80⤵PID:4816
-
C:\windows\SysWOW64\QJLICC.exeC:\windows\system32\QJLICC.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WEKI.exe.bat" "82⤵PID:1636
-
C:\windows\WEKI.exeC:\windows\WEKI.exe83⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TKQ.exe.bat" "84⤵PID:2128
-
C:\windows\TKQ.exeC:\windows\TKQ.exe85⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKYTFR.exe.bat" "86⤵PID:1032
-
C:\windows\ZKYTFR.exeC:\windows\ZKYTFR.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KDTMFYF.exe.bat" "88⤵PID:4088
-
C:\windows\SysWOW64\KDTMFYF.exeC:\windows\system32\KDTMFYF.exe89⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VVW.exe.bat" "90⤵PID:1436
-
C:\windows\VVW.exeC:\windows\VVW.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OYABT.exe.bat" "92⤵PID:3768
-
C:\windows\SysWOW64\OYABT.exeC:\windows\system32\OYABT.exe93⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DTJ.exe.bat" "94⤵PID:3832
-
C:\windows\DTJ.exeC:\windows\DTJ.exe95⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OMMY.exe.bat" "96⤵PID:1180
-
C:\windows\OMMY.exeC:\windows\OMMY.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WWVZ.exe.bat" "98⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\windows\WWVZ.exeC:\windows\WWVZ.exe99⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NHLX.exe.bat" "100⤵PID:556
-
C:\windows\NHLX.exeC:\windows\NHLX.exe101⤵
- Checks computer location settings
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CKVBTJF.exe.bat" "102⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\windows\system\CKVBTJF.exeC:\windows\system\CKVBTJF.exe103⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAW.exe.bat" "104⤵PID:4144
-
C:\windows\SysWOW64\EAW.exeC:\windows\system32\EAW.exe105⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KADJA.exe.bat" "106⤵PID:884
-
C:\windows\KADJA.exeC:\windows\KADJA.exe107⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TJFWMF.exe.bat" "108⤵PID:1724
-
C:\windows\TJFWMF.exeC:\windows\TJFWMF.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OWC.exe.bat" "110⤵PID:4172
-
C:\windows\system\OWC.exeC:\windows\system\OWC.exe111⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DRUKHS.exe.bat" "112⤵PID:4104
-
C:\windows\SysWOW64\DRUKHS.exeC:\windows\system32\DRUKHS.exe113⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XMY.exe.bat" "114⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\windows\system\XMY.exeC:\windows\system\XMY.exe115⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XSRI.exe.bat" "116⤵PID:3476
-
C:\windows\system\XSRI.exeC:\windows\system\XSRI.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YVUMYUO.exe.bat" "118⤵PID:2476
-
C:\windows\YVUMYUO.exeC:\windows\YVUMYUO.exe119⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YGD.exe.bat" "120⤵PID:1528
-
C:\windows\system\YGD.exeC:\windows\system\YGD.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-