Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 20:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe
-
Size
208KB
-
MD5
7197ba91384e104db3a1197a99367abe
-
SHA1
e9ccf1b601fa65ffbdc206f3de792c7b40e6f1cb
-
SHA256
2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3
-
SHA512
5d7019810d1a1f8369bf7b22e1f2490392cfc83d9f75ccda613ed5862e4f58b2d839f5f73c220ad81a554b29d81da74ae4ecc41499b31b53efd8891909ed33d8
-
SSDEEP
3072:cFlQ93zbLRqwsJkbiwIhq+hbUt0eDIdsMTGuKXO4hWczhyiKhIDnLp4NLthEjQT7:ck9jb8wsJScXbUdIWMKZ31B+untQEjM
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CVYPIC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SZOESM.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LOBJPLR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CYLLZV.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JDGUNWI.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CBKSI.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation POYH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation OKOIT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LYD.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CEVQCFQ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HVGJ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FDPTDR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SKXMSK.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation LENH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation OVBKSXM.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation OJBIFAC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SOH.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation PWX.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RYIT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation GHODIYR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FTXTOBT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation IHHFIKR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation CUW.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RYWVUAK.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NJUXTNS.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation GFAGB.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation UNF.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation PJNWX.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HLGNN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ZEALHSJ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation GPLUFFY.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NCKFXT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MVZDP.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation IREGELR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation QPZOUO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FDISVCO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SNU.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FKVPS.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MOI.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WQV.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NRKBMMV.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JKPT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation FBZUZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation UAYD.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RZMGZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation XBXB.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NOSX.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation TKRCGYC.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation STXT.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation SBVXQO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation KNB.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation BTVOUR.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NKKO.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation AISKW.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation KLNJHKF.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ZJRXQKE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation XRAA.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation DPKVUY.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation IJYSE.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MOAZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation GMHZA.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation NTNG.exe -
Executes dropped EXE 64 IoCs
pid Process 4364 SZOESM.exe 1400 PZXGV.exe 3568 XKGAJUT.exe 3092 PNKD.exe 5100 QQO.exe 4016 WQV.exe 3960 HJQG.exe 3804 AEC.exe 4456 HXD.exe 4808 TPGW.exe 888 NCKFXT.exe 3000 IQP.exe 1588 RYRC.exe 3536 SBVXQO.exe 4220 LWZBW.exe 1696 PMF.exe 1652 IFV.exe 4236 IKN.exe 4788 XNFFMW.exe 3024 FTXTOBT.exe 1556 UOGGH.exe 4956 NRKBMMV.exe 2012 OMWFRC.exe 3152 LMDTIE.exe 640 XFYLJMV.exe 1784 MVZDP.exe 1364 QLG.exe 4236 LWW.exe 2404 ERAFV.exe 3460 IHHFIKR.exe 4748 KUMP.exe 4668 IPLXONV.exe 4016 JKPT.exe 3808 WVXSQGS.exe 4616 MLGJP.exe 456 IREGELR.exe 3676 BUIK.exe 4080 QPZOUO.exe 1968 GFAGB.exe 1692 ASFXLJE.exe 892 VGK.exe 4012 FDPTDR.exe 3032 SOYSRU.exe 4024 LRC.exe 452 GPKHYW.exe 4576 INPTOE.exe 1548 XIZG.exe 1064 UNF.exe 1992 JDGUNWI.exe 2928 YJL.exe 3272 PJNWX.exe 3812 CUW.exe 4460 SKXMSK.exe 4412 KNB.exe 1612 HLGNN.exe 1548 LBNNRUW.exe 4144 NOSX.exe 1992 CUYUID.exe 5008 TUAZUJH.exe 5060 IPJDF.exe 3812 KNCFL.exe 632 YXT.exe 3008 SLYNB.exe 1380 LOBJPLR.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\XJJ.exe RJCGEX.exe File opened for modification C:\windows\SysWOW64\XEH.exe IJYSE.exe File created C:\windows\SysWOW64\RYJ.exe.bat BDSPQ.exe File created C:\windows\SysWOW64\NCYGCU.exe SRHH.exe File created C:\windows\SysWOW64\GPLUFFY.exe GMHZA.exe File created C:\windows\SysWOW64\ZQADOEQ.exe CKUGGUO.exe File opened for modification C:\windows\SysWOW64\SKXMSK.exe CUW.exe File created C:\windows\SysWOW64\SKXMSK.exe.bat CUW.exe File opened for modification C:\windows\SysWOW64\ZQADOEQ.exe CKUGGUO.exe File created C:\windows\SysWOW64\CEVQCFQ.exe HRRHRF.exe File opened for modification C:\windows\SysWOW64\FDISVCO.exe KIDJK.exe File created C:\windows\SysWOW64\NBAROAL.exe MYW.exe File created C:\windows\SysWOW64\XRUWVMJ.exe.bat GRSRR.exe File created C:\windows\SysWOW64\NTNG.exe SGQXHFC.exe File created C:\windows\SysWOW64\ZEALHSJ.exe.bat TETYY.exe File created C:\windows\SysWOW64\YSAU.exe.bat DPKVUY.exe File opened for modification C:\windows\SysWOW64\IZRLY.exe EQL.exe File created C:\windows\SysWOW64\MMIQFI.exe XHDT.exe File opened for modification C:\windows\SysWOW64\UKJYUZR.exe ZPEOK.exe File opened for modification C:\windows\SysWOW64\PVBL.exe ZEALHSJ.exe File created C:\windows\SysWOW64\OKOIT.exe PAESKD.exe File created C:\windows\SysWOW64\PQFO.exe.bat OVBKSXM.exe File opened for modification C:\windows\SysWOW64\NCKFXT.exe TPGW.exe File created C:\windows\SysWOW64\KUMP.exe IHHFIKR.exe File created C:\windows\SysWOW64\XEH.exe IJYSE.exe File created C:\windows\SysWOW64\CYLLZV.exe.bat YQELVDT.exe File opened for modification C:\windows\SysWOW64\XRUWVMJ.exe GRSRR.exe File opened for modification C:\windows\SysWOW64\XDO.exe BFI.exe File created C:\windows\SysWOW64\HVGJ.exe.bat XUE.exe File created C:\windows\SysWOW64\DPKVUY.exe KMGAPIA.exe File created C:\windows\SysWOW64\IHTI.exe.bat LPYUA.exe File created C:\windows\SysWOW64\GRSRR.exe LENH.exe File created C:\windows\SysWOW64\JNFQVN.exe ZQADOEQ.exe File created C:\windows\SysWOW64\FDISVCO.exe.bat KIDJK.exe File created C:\windows\SysWOW64\QIP.exe.bat UKJYUZR.exe File opened for modification C:\windows\SysWOW64\VDRB.exe LGMOF.exe File created C:\windows\SysWOW64\UWQ.exe.bat FBZUZ.exe File created C:\windows\SysWOW64\CKUGGUO.exe MUN.exe File created C:\windows\SysWOW64\ASFXLJE.exe.bat GFAGB.exe File created C:\windows\SysWOW64\SKXMSK.exe CUW.exe File opened for modification C:\windows\SysWOW64\MNKTF.exe WXLQTJ.exe File created C:\windows\SysWOW64\SRHH.exe.bat UWQ.exe File created C:\windows\SysWOW64\CEVQCFQ.exe.bat HRRHRF.exe File created C:\windows\SysWOW64\XNFFMW.exe.bat IKN.exe File created C:\windows\SysWOW64\WBEDWU.exe FQOFWA.exe File opened for modification C:\windows\SysWOW64\TPGW.exe HXD.exe File created C:\windows\SysWOW64\IPLXONV.exe KUMP.exe File opened for modification C:\windows\SysWOW64\OMWFRC.exe NRKBMMV.exe File created C:\windows\SysWOW64\NBAROAL.exe.bat MYW.exe File created C:\windows\SysWOW64\XRUWVMJ.exe GRSRR.exe File created C:\windows\SysWOW64\XJJ.exe RJCGEX.exe File created C:\windows\SysWOW64\RXGDX.exe.bat XJJ.exe File created C:\windows\SysWOW64\BFI.exe RXGDX.exe File created C:\windows\SysWOW64\XKGAJUT.exe.bat PZXGV.exe File created C:\windows\SysWOW64\TPGW.exe.bat HXD.exe File opened for modification C:\windows\SysWOW64\GPLUFFY.exe GMHZA.exe File opened for modification C:\windows\SysWOW64\CYLLZV.exe YQELVDT.exe File created C:\windows\SysWOW64\DPKVUY.exe.bat KMGAPIA.exe File opened for modification C:\windows\SysWOW64\UWQ.exe FBZUZ.exe File created C:\windows\SysWOW64\OKOIT.exe.bat PAESKD.exe File created C:\windows\SysWOW64\WBEDWU.exe.bat FQOFWA.exe File created C:\windows\SysWOW64\BHBE.exe.bat XRUWVMJ.exe File opened for modification C:\windows\SysWOW64\KIDJK.exe BHBE.exe File created C:\windows\SysWOW64\SRHH.exe UWQ.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\MLGJP.exe WVXSQGS.exe File opened for modification C:\windows\GEK.exe XWIRTD.exe File created C:\windows\system\KLNJHKF.exe.bat HVGJ.exe File opened for modification C:\windows\SZOESM.exe 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe File opened for modification C:\windows\system\QQO.exe PNKD.exe File opened for modification C:\windows\system\AEC.exe HJQG.exe File opened for modification C:\windows\system\LWW.exe QLG.exe File opened for modification C:\windows\system\AISKW.exe TPKJIDF.exe File created C:\windows\system\WREGGYU.exe QRWSXW.exe File created C:\windows\PAESKD.exe.bat NCYGCU.exe File created C:\windows\system\GMHZA.exe LYD.exe File opened for modification C:\windows\KNB.exe SKXMSK.exe File created C:\windows\KNB.exe.bat SKXMSK.exe File created C:\windows\system\IPJDF.exe TUAZUJH.exe File created C:\windows\GMEETQ.exe.bat OJBIFAC.exe File opened for modification C:\windows\system\IPJDF.exe TUAZUJH.exe File created C:\windows\system\TPKJIDF.exe TKRCGYC.exe File created C:\windows\system\UAYD.exe LAW.exe File created C:\windows\OVBKSXM.exe.bat GHODIYR.exe File created C:\windows\GUSLH.exe GBKSU.exe File opened for modification C:\windows\system\WREGGYU.exe QRWSXW.exe File opened for modification C:\windows\system\ZKPYTU.exe GPLUFFY.exe File created C:\windows\system\NROEH.exe.bat CYLLZV.exe File created C:\windows\system\JDGUNWI.exe.bat UNF.exe File opened for modification C:\windows\system\XWIRTD.exe LOBJPLR.exe File created C:\windows\IJD.exe.bat EBXGX.exe File opened for modification C:\windows\system\WXLQTJ.exe UZKON.exe File created C:\windows\system\XUE.exe.bat XRAA.exe File opened for modification C:\windows\system\FKVPS.exe MHS.exe File opened for modification C:\windows\HJQG.exe WQV.exe File created C:\windows\system\IHHFIKR.exe.bat ERAFV.exe File opened for modification C:\windows\system\INPTOE.exe GPKHYW.exe File opened for modification C:\windows\GYLWAS.exe FDISVCO.exe File opened for modification C:\windows\SOH.exe JNFQVN.exe File created C:\windows\JKPT.exe IPLXONV.exe File opened for modification C:\windows\system\CUYUID.exe NOSX.exe File opened for modification C:\windows\system\LENH.exe WBEDWU.exe File created C:\windows\GYLWAS.exe FDISVCO.exe File opened for modification C:\windows\PTAU.exe RYJ.exe File opened for modification C:\windows\system\YQELVDT.exe UAYD.exe File created C:\windows\PWX.exe LGQMNA.exe File opened for modification C:\windows\system\CVYPIC.exe YSAU.exe File created C:\windows\YXT.exe KNCFL.exe File created C:\windows\RYWVUAK.exe.bat SNU.exe File opened for modification C:\windows\MOI.exe XTQWE.exe File created C:\windows\system\STXT.exe BTVOUR.exe File opened for modification C:\windows\system\HLGNN.exe KNB.exe File created C:\windows\system\SLYNB.exe.bat YXT.exe File created C:\windows\system\MZX.exe.bat CBKSI.exe File created C:\windows\OJBIFAC.exe MLH.exe File created C:\windows\HJQG.exe.bat WQV.exe File created C:\windows\IQP.exe.bat NCKFXT.exe File opened for modification C:\windows\QLG.exe MVZDP.exe File created C:\windows\system\CUW.exe.bat PJNWX.exe File created C:\windows\system\YQELVDT.exe.bat UAYD.exe File opened for modification C:\windows\MUN.exe ZJRXQKE.exe File opened for modification C:\windows\system\XBXB.exe PWX.exe File created C:\windows\WQV.exe QQO.exe File created C:\windows\system\SBVXQO.exe.bat RYRC.exe File created C:\windows\MHS.exe GUSLH.exe File created C:\windows\NKKO.exe.bat HJCT.exe File created C:\windows\system\CUW.exe PJNWX.exe File created C:\windows\system\SLYNB.exe YXT.exe File created C:\windows\QRWSXW.exe.bat VDRB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2008 4828 WerFault.exe 82 4592 4364 WerFault.exe 90 4964 1400 WerFault.exe 96 1184 3568 WerFault.exe 101 4748 3092 WerFault.exe 106 2020 5100 WerFault.exe 111 312 4016 WerFault.exe 116 1456 3960 WerFault.exe 121 4584 3804 WerFault.exe 126 4272 4456 WerFault.exe 131 2988 4808 WerFault.exe 136 5116 888 WerFault.exe 141 3092 3000 WerFault.exe 146 5080 1588 WerFault.exe 151 4916 3536 WerFault.exe 156 4796 4220 WerFault.exe 160 3248 1696 WerFault.exe 166 2944 1652 WerFault.exe 171 5000 4236 WerFault.exe 176 1324 4788 WerFault.exe 181 376 3024 WerFault.exe 186 1552 1556 WerFault.exe 191 4324 4956 WerFault.exe 196 2532 2012 WerFault.exe 201 3160 3152 WerFault.exe 206 2044 640 WerFault.exe 211 1536 1784 WerFault.exe 216 4724 1364 WerFault.exe 221 1184 4236 WerFault.exe 226 2736 2404 WerFault.exe 231 2180 3460 WerFault.exe 236 2952 4748 WerFault.exe 241 3740 4668 WerFault.exe 246 3960 4016 WerFault.exe 251 4548 3808 WerFault.exe 256 5052 4616 WerFault.exe 261 2236 456 WerFault.exe 266 2280 3676 WerFault.exe 271 4408 4080 WerFault.exe 275 2364 1968 WerFault.exe 283 2500 1692 WerFault.exe 288 1092 892 WerFault.exe 293 2964 4012 WerFault.exe 298 1784 3032 WerFault.exe 303 548 4024 WerFault.exe 308 1184 452 WerFault.exe 313 3096 4576 WerFault.exe 318 4048 1548 WerFault.exe 323 4312 1064 WerFault.exe 328 4120 1992 WerFault.exe 332 3184 2928 WerFault.exe 337 2832 3272 WerFault.exe 343 5072 3812 WerFault.exe 348 2148 4460 WerFault.exe 353 556 4412 WerFault.exe 359 4516 1612 WerFault.exe 364 2364 1548 WerFault.exe 369 2012 4144 WerFault.exe 374 704 1992 WerFault.exe 379 4964 5008 WerFault.exe 384 4592 5060 WerFault.exe 389 4840 3812 WerFault.exe 394 2736 632 WerFault.exe 399 4444 3008 WerFault.exe 404 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GMHZA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IPLXONV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBZUZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HJCT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YFNLNK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LWZBW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XIZG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JDGUNWI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CYLLZV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NBAROAL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IJYSE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NNO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RYWVUAK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POYH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZPEOK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XNFFMW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BTVOUR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OUICT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SOH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WVXSQGS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NTNG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KLNJHKF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HJQG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CKUGGUO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UTF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IQP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GUSLH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XRAA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HXD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IREGELR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOBJPLR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RYIT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INPTOE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 4364 SZOESM.exe 4364 SZOESM.exe 1400 PZXGV.exe 1400 PZXGV.exe 3568 XKGAJUT.exe 3568 XKGAJUT.exe 3092 PNKD.exe 3092 PNKD.exe 5100 QQO.exe 5100 QQO.exe 4016 WQV.exe 4016 WQV.exe 3960 HJQG.exe 3960 HJQG.exe 3804 AEC.exe 3804 AEC.exe 4456 HXD.exe 4456 HXD.exe 4808 TPGW.exe 4808 TPGW.exe 888 NCKFXT.exe 888 NCKFXT.exe 3000 IQP.exe 3000 IQP.exe 1588 RYRC.exe 1588 RYRC.exe 3536 SBVXQO.exe 3536 SBVXQO.exe 4220 LWZBW.exe 4220 LWZBW.exe 1696 PMF.exe 1696 PMF.exe 1652 IFV.exe 1652 IFV.exe 4236 IKN.exe 4236 IKN.exe 4788 XNFFMW.exe 4788 XNFFMW.exe 3024 FTXTOBT.exe 3024 FTXTOBT.exe 1556 UOGGH.exe 1556 UOGGH.exe 4956 NRKBMMV.exe 4956 NRKBMMV.exe 2012 OMWFRC.exe 2012 OMWFRC.exe 3152 LMDTIE.exe 3152 LMDTIE.exe 640 XFYLJMV.exe 640 XFYLJMV.exe 1784 MVZDP.exe 1784 MVZDP.exe 1364 QLG.exe 1364 QLG.exe 4236 LWW.exe 4236 LWW.exe 2404 ERAFV.exe 2404 ERAFV.exe 3460 IHHFIKR.exe 3460 IHHFIKR.exe 4748 KUMP.exe 4748 KUMP.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 4364 SZOESM.exe 4364 SZOESM.exe 1400 PZXGV.exe 1400 PZXGV.exe 3568 XKGAJUT.exe 3568 XKGAJUT.exe 3092 PNKD.exe 3092 PNKD.exe 5100 QQO.exe 5100 QQO.exe 4016 WQV.exe 4016 WQV.exe 3960 HJQG.exe 3960 HJQG.exe 3804 AEC.exe 3804 AEC.exe 4456 HXD.exe 4456 HXD.exe 4808 TPGW.exe 4808 TPGW.exe 888 NCKFXT.exe 888 NCKFXT.exe 3000 IQP.exe 3000 IQP.exe 1588 RYRC.exe 1588 RYRC.exe 3536 SBVXQO.exe 3536 SBVXQO.exe 4220 LWZBW.exe 4220 LWZBW.exe 1696 PMF.exe 1696 PMF.exe 1652 IFV.exe 1652 IFV.exe 4236 IKN.exe 4236 IKN.exe 4788 XNFFMW.exe 4788 XNFFMW.exe 3024 FTXTOBT.exe 3024 FTXTOBT.exe 1556 UOGGH.exe 1556 UOGGH.exe 4956 NRKBMMV.exe 4956 NRKBMMV.exe 2012 OMWFRC.exe 2012 OMWFRC.exe 3152 LMDTIE.exe 3152 LMDTIE.exe 640 XFYLJMV.exe 640 XFYLJMV.exe 1784 MVZDP.exe 1784 MVZDP.exe 1364 QLG.exe 1364 QLG.exe 4236 LWW.exe 4236 LWW.exe 2404 ERAFV.exe 2404 ERAFV.exe 3460 IHHFIKR.exe 3460 IHHFIKR.exe 4748 KUMP.exe 4748 KUMP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4828 wrote to memory of 4832 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 86 PID 4828 wrote to memory of 4832 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 86 PID 4828 wrote to memory of 4832 4828 2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe 86 PID 4832 wrote to memory of 4364 4832 cmd.exe 90 PID 4832 wrote to memory of 4364 4832 cmd.exe 90 PID 4832 wrote to memory of 4364 4832 cmd.exe 90 PID 4364 wrote to memory of 2136 4364 SZOESM.exe 92 PID 4364 wrote to memory of 2136 4364 SZOESM.exe 92 PID 4364 wrote to memory of 2136 4364 SZOESM.exe 92 PID 2136 wrote to memory of 1400 2136 cmd.exe 96 PID 2136 wrote to memory of 1400 2136 cmd.exe 96 PID 2136 wrote to memory of 1400 2136 cmd.exe 96 PID 1400 wrote to memory of 4272 1400 PZXGV.exe 97 PID 1400 wrote to memory of 4272 1400 PZXGV.exe 97 PID 1400 wrote to memory of 4272 1400 PZXGV.exe 97 PID 4272 wrote to memory of 3568 4272 cmd.exe 101 PID 4272 wrote to memory of 3568 4272 cmd.exe 101 PID 4272 wrote to memory of 3568 4272 cmd.exe 101 PID 3568 wrote to memory of 1120 3568 XKGAJUT.exe 102 PID 3568 wrote to memory of 1120 3568 XKGAJUT.exe 102 PID 3568 wrote to memory of 1120 3568 XKGAJUT.exe 102 PID 1120 wrote to memory of 3092 1120 cmd.exe 106 PID 1120 wrote to memory of 3092 1120 cmd.exe 106 PID 1120 wrote to memory of 3092 1120 cmd.exe 106 PID 3092 wrote to memory of 3580 3092 PNKD.exe 107 PID 3092 wrote to memory of 3580 3092 PNKD.exe 107 PID 3092 wrote to memory of 3580 3092 PNKD.exe 107 PID 3580 wrote to memory of 5100 3580 cmd.exe 111 PID 3580 wrote to memory of 5100 3580 cmd.exe 111 PID 3580 wrote to memory of 5100 3580 cmd.exe 111 PID 5100 wrote to memory of 1144 5100 QQO.exe 112 PID 5100 wrote to memory of 1144 5100 QQO.exe 112 PID 5100 wrote to memory of 1144 5100 QQO.exe 112 PID 1144 wrote to memory of 4016 1144 cmd.exe 116 PID 1144 wrote to memory of 4016 1144 cmd.exe 116 PID 1144 wrote to memory of 4016 1144 cmd.exe 116 PID 4016 wrote to memory of 3940 4016 WQV.exe 117 PID 4016 wrote to memory of 3940 4016 WQV.exe 117 PID 4016 wrote to memory of 3940 4016 WQV.exe 117 PID 3940 wrote to memory of 3960 3940 cmd.exe 121 PID 3940 wrote to memory of 3960 3940 cmd.exe 121 PID 3940 wrote to memory of 3960 3940 cmd.exe 121 PID 3960 wrote to memory of 4304 3960 HJQG.exe 122 PID 3960 wrote to memory of 4304 3960 HJQG.exe 122 PID 3960 wrote to memory of 4304 3960 HJQG.exe 122 PID 4304 wrote to memory of 3804 4304 cmd.exe 126 PID 4304 wrote to memory of 3804 4304 cmd.exe 126 PID 4304 wrote to memory of 3804 4304 cmd.exe 126 PID 3804 wrote to memory of 1464 3804 AEC.exe 127 PID 3804 wrote to memory of 1464 3804 AEC.exe 127 PID 3804 wrote to memory of 1464 3804 AEC.exe 127 PID 1464 wrote to memory of 4456 1464 cmd.exe 131 PID 1464 wrote to memory of 4456 1464 cmd.exe 131 PID 1464 wrote to memory of 4456 1464 cmd.exe 131 PID 4456 wrote to memory of 2384 4456 HXD.exe 132 PID 4456 wrote to memory of 2384 4456 HXD.exe 132 PID 4456 wrote to memory of 2384 4456 HXD.exe 132 PID 2384 wrote to memory of 4808 2384 cmd.exe 136 PID 2384 wrote to memory of 4808 2384 cmd.exe 136 PID 2384 wrote to memory of 4808 2384 cmd.exe 136 PID 4808 wrote to memory of 2528 4808 TPGW.exe 137 PID 4808 wrote to memory of 2528 4808 TPGW.exe 137 PID 4808 wrote to memory of 2528 4808 TPGW.exe 137 PID 2528 wrote to memory of 888 2528 cmd.exe 141
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe"C:\Users\Admin\AppData\Local\Temp\2bc5b669ccce680edc2f48da17f9345c7e98cd0d4b629392a16503f6f742f8d3.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SZOESM.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\windows\SZOESM.exeC:\windows\SZOESM.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PZXGV.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\windows\PZXGV.exeC:\windows\PZXGV.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XKGAJUT.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\windows\SysWOW64\XKGAJUT.exeC:\windows\system32\XKGAJUT.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PNKD.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\windows\system\PNKD.exeC:\windows\system\PNKD.exe9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QQO.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\windows\system\QQO.exeC:\windows\system\QQO.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WQV.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\windows\WQV.exeC:\windows\WQV.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HJQG.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\windows\HJQG.exeC:\windows\HJQG.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AEC.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\windows\system\AEC.exeC:\windows\system\AEC.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HXD.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\windows\system\HXD.exeC:\windows\system\HXD.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TPGW.exe.bat" "20⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\windows\SysWOW64\TPGW.exeC:\windows\system32\TPGW.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NCKFXT.exe.bat" "22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\windows\SysWOW64\NCKFXT.exeC:\windows\system32\NCKFXT.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IQP.exe.bat" "24⤵PID:3460
-
C:\windows\IQP.exeC:\windows\IQP.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RYRC.exe.bat" "26⤵PID:1448
-
C:\windows\RYRC.exeC:\windows\RYRC.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SBVXQO.exe.bat" "28⤵PID:1732
-
C:\windows\system\SBVXQO.exeC:\windows\system\SBVXQO.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LWZBW.exe.bat" "30⤵PID:3584
-
C:\windows\SysWOW64\LWZBW.exeC:\windows\system32\LWZBW.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PMF.exe.bat" "32⤵PID:4676
-
C:\windows\PMF.exeC:\windows\PMF.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IFV.exe.bat" "34⤵PID:1964
-
C:\windows\IFV.exeC:\windows\IFV.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IKN.exe.bat" "36⤵PID:4912
-
C:\windows\IKN.exeC:\windows\IKN.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XNFFMW.exe.bat" "38⤵PID:752
-
C:\windows\SysWOW64\XNFFMW.exeC:\windows\system32\XNFFMW.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FTXTOBT.exe.bat" "40⤵
- System Location Discovery: System Language Discovery
PID:632 -
C:\windows\system\FTXTOBT.exeC:\windows\system\FTXTOBT.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UOGGH.exe.bat" "42⤵PID:5116
-
C:\windows\SysWOW64\UOGGH.exeC:\windows\system32\UOGGH.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NRKBMMV.exe.bat" "44⤵PID:4400
-
C:\windows\NRKBMMV.exeC:\windows\NRKBMMV.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMWFRC.exe.bat" "46⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\windows\SysWOW64\OMWFRC.exeC:\windows\system32\OMWFRC.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LMDTIE.exe.bat" "48⤵PID:3716
-
C:\windows\SysWOW64\LMDTIE.exeC:\windows\system32\LMDTIE.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XFYLJMV.exe.bat" "50⤵PID:2008
-
C:\windows\system\XFYLJMV.exeC:\windows\system\XFYLJMV.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MVZDP.exe.bat" "52⤵
- System Location Discovery: System Language Discovery
PID:5068 -
C:\windows\system\MVZDP.exeC:\windows\system\MVZDP.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLG.exe.bat" "54⤵PID:4560
-
C:\windows\QLG.exeC:\windows\QLG.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LWW.exe.bat" "56⤵PID:2244
-
C:\windows\system\LWW.exeC:\windows\system\LWW.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ERAFV.exe.bat" "58⤵PID:5012
-
C:\windows\ERAFV.exeC:\windows\ERAFV.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IHHFIKR.exe.bat" "60⤵PID:3568
-
C:\windows\system\IHHFIKR.exeC:\windows\system\IHHFIKR.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KUMP.exe.bat" "62⤵PID:4408
-
C:\windows\SysWOW64\KUMP.exeC:\windows\system32\KUMP.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPLXONV.exe.bat" "64⤵PID:4340
-
C:\windows\SysWOW64\IPLXONV.exeC:\windows\system32\IPLXONV.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JKPT.exe.bat" "66⤵PID:4388
-
C:\windows\JKPT.exeC:\windows\JKPT.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WVXSQGS.exe.bat" "68⤵PID:704
-
C:\windows\WVXSQGS.exeC:\windows\WVXSQGS.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MLGJP.exe.bat" "70⤵PID:384
-
C:\windows\system\MLGJP.exeC:\windows\system\MLGJP.exe71⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IREGELR.exe.bat" "72⤵PID:1744
-
C:\windows\system\IREGELR.exeC:\windows\system\IREGELR.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUIK.exe.bat" "74⤵PID:2700
-
C:\windows\SysWOW64\BUIK.exeC:\windows\system32\BUIK.exe75⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPZOUO.exe.bat" "76⤵PID:3516
-
C:\windows\system\QPZOUO.exeC:\windows\system\QPZOUO.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GFAGB.exe.bat" "78⤵PID:1800
-
C:\windows\system\GFAGB.exeC:\windows\system\GFAGB.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASFXLJE.exe.bat" "80⤵PID:1956
-
C:\windows\SysWOW64\ASFXLJE.exeC:\windows\system32\ASFXLJE.exe81⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VGK.exe.bat" "82⤵PID:1540
-
C:\windows\VGK.exeC:\windows\VGK.exe83⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FDPTDR.exe.bat" "84⤵PID:1132
-
C:\windows\FDPTDR.exeC:\windows\FDPTDR.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SOYSRU.exe.bat" "86⤵PID:3128
-
C:\windows\SysWOW64\SOYSRU.exeC:\windows\system32\SOYSRU.exe87⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LRC.exe.bat" "88⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\windows\system\LRC.exeC:\windows\system\LRC.exe89⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GPKHYW.exe.bat" "90⤵PID:2384
-
C:\windows\SysWOW64\GPKHYW.exeC:\windows\system32\GPKHYW.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\INPTOE.exe.bat" "92⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\windows\system\INPTOE.exeC:\windows\system\INPTOE.exe93⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XIZG.exe.bat" "94⤵PID:3964
-
C:\windows\system\XIZG.exeC:\windows\system\XIZG.exe95⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNF.exe.bat" "96⤵PID:3724
-
C:\windows\UNF.exeC:\windows\UNF.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JDGUNWI.exe.bat" "98⤵PID:4672
-
C:\windows\system\JDGUNWI.exeC:\windows\system\JDGUNWI.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YJL.exe.bat" "100⤵PID:2060
-
C:\windows\system\YJL.exeC:\windows\system\YJL.exe101⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PJNWX.exe.bat" "102⤵PID:4988
-
C:\windows\system\PJNWX.exeC:\windows\system\PJNWX.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUW.exe.bat" "104⤵PID:3228
-
C:\windows\system\CUW.exeC:\windows\system\CUW.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKXMSK.exe.bat" "106⤵PID:428
-
C:\windows\SysWOW64\SKXMSK.exeC:\windows\system32\SKXMSK.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KNB.exe.bat" "108⤵PID:2632
-
C:\windows\KNB.exeC:\windows\KNB.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HLGNN.exe.bat" "110⤵PID:1732
-
C:\windows\system\HLGNN.exeC:\windows\system\HLGNN.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LBNNRUW.exe.bat" "112⤵PID:4256
-
C:\windows\SysWOW64\LBNNRUW.exeC:\windows\system32\LBNNRUW.exe113⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOSX.exe.bat" "114⤵PID:1560
-
C:\windows\SysWOW64\NOSX.exeC:\windows\system32\NOSX.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CUYUID.exe.bat" "116⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\windows\system\CUYUID.exeC:\windows\system\CUYUID.exe117⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TUAZUJH.exe.bat" "118⤵PID:3840
-
C:\windows\TUAZUJH.exeC:\windows\TUAZUJH.exe119⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IPJDF.exe.bat" "120⤵PID:4548
-
C:\windows\system\IPJDF.exeC:\windows\system\IPJDF.exe121⤵
- Executes dropped EXE
PID:5060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-