Analysis
-
max time kernel
105s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 17:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
-
Size
289KB
-
MD5
b06ab67b29448cb230ec8cf37b546ff0
-
SHA1
bce511c7ef929be8b8ab8ff6f82a09e34b93b630
-
SHA256
5ad7895a3dfb5cdec30ead4ddb2574ea10ab50fd23e8506cece03c9caed0a3f9
-
SHA512
0f860d08ee7e07b60db35ecfdc61c532a2322f09394f2e6837bbb64e74692eee52d1af2c24d0c8f385d5cb60ce9bc4bfe0c6ee08e0d19d8a18a6400aca8e11aa
-
SSDEEP
3072:bjoYk+xGI8U1XLS+PdLfL1zlGMoekBoge4pLthECQT68VMJLaQljVvzUpz:HoYkvIHffLWKumkECzJLaQVbU5
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SSEF.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EEQEMX.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ITYAMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VELEIV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YKQE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VHTRB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LXPHL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SYEYM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XHZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OYR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KMUGGVI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ICRGRCQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ATNWNP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CUB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NIMZFAS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FVPOZA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XABEIT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CWFLDSZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WNFJZO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NRUIO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation IDOIN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZFK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ROREVCI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VXHZZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NRXZUYN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NXP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NPZEOA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation IGL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RZHISS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AXUNCO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WUOHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FAHPNKM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation USCHC.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KECW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KZGCQMN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EDRA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation STCTROG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NRVL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XTB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VWI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AIUJS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DKHQL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BEY.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BXJTKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GMBVR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FJIIED.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HNC.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RIVT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OZOBB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation PKQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QNI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CORQL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HAK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LGS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DLREBPP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GWJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SBHPA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OJKFIVS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KDJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YDLS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EOVI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KLARBR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZHSQS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GCL.exe -
Executes dropped EXE 64 IoCs
pid Process 1008 MGZ.exe 2044 HTEHT.exe 4608 GWJ.exe 3756 XHZ.exe 2668 YKQE.exe 2568 AXUNCO.exe 4324 QNI.exe 2892 ZWKK.exe 4284 NRVL.exe 4236 VXAR.exe 1308 DCN.exe 5060 ODU.exe 4172 TVELSRQ.exe 812 LDSRE.exe 1944 DGWMKX.exe 2268 EJMIYHW.exe 5028 EEQEMX.exe 2072 WNFJZO.exe 1328 VXHZZ.exe 4260 BTTSN.exe 2840 SBHPA.exe 3540 NOMHKZO.exe 4836 GCL.exe 928 SSEF.exe 2276 DKHQL.exe 860 LQMEV.exe 1008 NOARDBT.exe 4480 XLFLKJC.exe 3028 BPDG.exe 4584 VHTRB.exe 4940 RIVT.exe 2840 BFI.exe 1664 FVPOZA.exe 4376 CORQL.exe 4288 HTJFB.exe 4520 OJKFIVS.exe 3504 WXWLKT.exe 2384 UNK.exe 1964 KDJ.exe 3284 LGNKR.exe 3808 JRXA.exe 3320 CUB.exe 1352 KZGCQMN.exe 5072 XKWBE.exe 4960 ASFXLJE.exe 3032 PNOC.exe 3456 OYR.exe 4344 NRUIO.exe 3532 ERI.exe 1108 KMUGGVI.exe 2348 HNEIKA.exe 1664 EDRA.exe 2764 ITYAMZ.exe 1020 OGKBSN.exe 4876 WUOHC.exe 2204 RHTRNMV.exe 4620 UCK.exe 2384 HAK.exe 5000 IDOIN.exe 1420 XTB.exe 4232 UZHOKXF.exe 2684 NRXZUYN.exe 2056 NXP.exe 2768 EFD.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\windows\SysWOW64\PNOC.exe ASFXLJE.exe File created C:\windows\SysWOW64\HAK.exe.bat UCK.exe File created C:\windows\SysWOW64\GOVOZKF.exe GIVAXX.exe File opened for modification C:\windows\SysWOW64\WYJ.exe YNHBOG.exe File opened for modification C:\windows\SysWOW64\RZEG.exe EOVI.exe File created C:\windows\SysWOW64\AXUNCO.exe YKQE.exe File opened for modification C:\windows\SysWOW64\DGWMKX.exe LDSRE.exe File created C:\windows\SysWOW64\XLFLKJC.exe.bat NOARDBT.exe File opened for modification C:\windows\SysWOW64\ICRGRCQ.exe EEHQBGV.exe File created C:\windows\SysWOW64\PNOC.exe.bat ASFXLJE.exe File opened for modification C:\windows\SysWOW64\RZHISS.exe LGS.exe File created C:\windows\SysWOW64\AIUJS.exe BXJTKQ.exe File created C:\windows\SysWOW64\AIUJS.exe.bat BXJTKQ.exe File created C:\windows\SysWOW64\MGZ.exe b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe File created C:\windows\SysWOW64\LDSRE.exe.bat TVELSRQ.exe File created C:\windows\SysWOW64\OJKFIVS.exe.bat HTJFB.exe File opened for modification C:\windows\SysWOW64\KDJ.exe UNK.exe File opened for modification C:\windows\SysWOW64\VUMKWYK.exe JRCXMT.exe File created C:\windows\SysWOW64\VUMKWYK.exe.bat JRCXMT.exe File created C:\windows\SysWOW64\YDLS.exe.bat FAHPNKM.exe File created C:\windows\SysWOW64\MPG.exe.bat KRS.exe File opened for modification C:\windows\SysWOW64\LDSRE.exe TVELSRQ.exe File opened for modification C:\windows\SysWOW64\RIVT.exe VHTRB.exe File created C:\windows\SysWOW64\FJIIED.exe.bat XVVBUFK.exe File created C:\windows\SysWOW64\WYJ.exe YNHBOG.exe File created C:\windows\SysWOW64\ASFXLJE.exe.bat XKWBE.exe File created C:\windows\SysWOW64\ERI.exe.bat NRUIO.exe File created C:\windows\SysWOW64\ERI.exe NRUIO.exe File opened for modification C:\windows\SysWOW64\OGKBSN.exe ITYAMZ.exe File created C:\windows\SysWOW64\RZEG.exe.bat EOVI.exe File opened for modification C:\windows\SysWOW64\IGL.exe TDBOV.exe File created C:\windows\SysWOW64\CWFLDSZ.exe.bat SYEYM.exe File created C:\windows\SysWOW64\RIVT.exe.bat VHTRB.exe File opened for modification C:\windows\SysWOW64\UCK.exe RHTRNMV.exe File created C:\windows\SysWOW64\BTSSNS.exe YDLS.exe File created C:\windows\SysWOW64\OZOBB.exe GMBVR.exe File opened for modification C:\windows\SysWOW64\AXUNCO.exe YKQE.exe File opened for modification C:\windows\SysWOW64\YDLS.exe FAHPNKM.exe File created C:\windows\SysWOW64\HNC.exe ARZ.exe File created C:\windows\SysWOW64\VXAR.exe NRVL.exe File created C:\windows\SysWOW64\OJKFIVS.exe HTJFB.exe File opened for modification C:\windows\SysWOW64\XLFLKJC.exe NOARDBT.exe File created C:\windows\SysWOW64\BPDG.exe.bat XLFLKJC.exe File opened for modification C:\windows\SysWOW64\ZFK.exe KPJHA.exe File created C:\windows\SysWOW64\AXUNCO.exe.bat YKQE.exe File created C:\windows\SysWOW64\OGKBSN.exe ITYAMZ.exe File opened for modification C:\windows\SysWOW64\YNHBOG.exe PKQ.exe File created C:\windows\SysWOW64\DLREBPP.exe STCTROG.exe File created C:\windows\SysWOW64\ICRGRCQ.exe EEHQBGV.exe File created C:\windows\SysWOW64\WYJ.exe.bat YNHBOG.exe File created C:\windows\SysWOW64\IGL.exe TDBOV.exe File opened for modification C:\windows\SysWOW64\QNI.exe AXUNCO.exe File created C:\windows\SysWOW64\NOMHKZO.exe SBHPA.exe File opened for modification C:\windows\SysWOW64\BFI.exe RIVT.exe File opened for modification C:\windows\SysWOW64\ERI.exe NRUIO.exe File created C:\windows\SysWOW64\ITYAMZ.exe.bat EDRA.exe File opened for modification C:\windows\SysWOW64\BTSSNS.exe YDLS.exe File created C:\windows\SysWOW64\OZOBB.exe.bat GMBVR.exe File created C:\windows\SysWOW64\RZHISS.exe.bat LGS.exe File created C:\windows\SysWOW64\QNI.exe AXUNCO.exe File created C:\windows\SysWOW64\QNI.exe.bat AXUNCO.exe File created C:\windows\SysWOW64\VXAR.exe.bat NRVL.exe File opened for modification C:\windows\SysWOW64\BPDG.exe XLFLKJC.exe File opened for modification C:\windows\SysWOW64\DLREBPP.exe STCTROG.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\SYEYM.exe.bat KLARBR.exe File created C:\windows\DCN.exe VXAR.exe File created C:\windows\system\EDRA.exe HNEIKA.exe File created C:\windows\system\ROREVCI.exe KECW.exe File opened for modification C:\windows\system\VWI.exe TUY.exe File opened for modification C:\windows\system\VXHZZ.exe WNFJZO.exe File created C:\windows\system\NPZEOA.exe OZOBB.exe File created C:\windows\WXWLKT.exe.bat OJKFIVS.exe File created C:\windows\system\TUY.exe VELEIV.exe File created C:\windows\system\HTEHT.exe MGZ.exe File created C:\windows\system\BTTSN.exe.bat VXHZZ.exe File opened for modification C:\windows\ATNWNP.exe YVZKGH.exe File opened for modification C:\windows\system\NRUIO.exe OYR.exe File created C:\windows\EFD.exe NXP.exe File created C:\windows\system\TUY.exe.bat VELEIV.exe File created C:\windows\EEQEMX.exe EJMIYHW.exe File created C:\windows\system\JRXA.exe.bat LGNKR.exe File opened for modification C:\windows\EFD.exe NXP.exe File created C:\windows\system\KPJHA.exe NPZEOA.exe File opened for modification C:\windows\system\TDBOV.exe LXPHL.exe File created C:\windows\EOVI.exe DLREBPP.exe File created C:\windows\WNFJZO.exe.bat EEQEMX.exe File created C:\windows\system\GMBVR.exe.bat BTSSNS.exe File created C:\windows\EEQEMX.exe.bat EJMIYHW.exe File created C:\windows\system\ARZ.exe SMMX.exe File opened for modification C:\windows\EEQEMX.exe EJMIYHW.exe File created C:\windows\system\VXHZZ.exe WNFJZO.exe File created C:\windows\system\VHTRB.exe BPDG.exe File created C:\windows\system\USCHC.exe WHRRBN.exe File opened for modification C:\windows\LXPHL.exe FCLGX.exe File opened for modification C:\windows\NRVL.exe ZWKK.exe File created C:\windows\EJMIYHW.exe DGWMKX.exe File opened for modification C:\windows\system\LGNKR.exe KDJ.exe File created C:\windows\system\JRXA.exe LGNKR.exe File created C:\windows\system\NXP.exe.bat NRXZUYN.exe File created C:\windows\GCRZH.exe.bat LZJBTMN.exe File opened for modification C:\windows\HTJFB.exe CORQL.exe File created C:\windows\HTJFB.exe.bat CORQL.exe File created C:\windows\system\EDRA.exe.bat HNEIKA.exe File created C:\windows\VELEIV.exe.bat IGL.exe File created C:\windows\SBHPA.exe.bat BTTSN.exe File opened for modification C:\windows\NOARDBT.exe LQMEV.exe File created C:\windows\system\FVPOZA.exe.bat BFI.exe File created C:\windows\TLYMYUA.exe.bat AIUJS.exe File opened for modification C:\windows\system\HNEIKA.exe KMUGGVI.exe File opened for modification C:\windows\STCTROG.exe NSS.exe File created C:\windows\BXJTKQ.exe.bat RZEG.exe File opened for modification C:\windows\system\GWJ.exe HTEHT.exe File created C:\windows\NIMZFAS.exe WYJ.exe File created C:\windows\EJMIYHW.exe.bat DGWMKX.exe File created C:\windows\system\BTTSN.exe VXHZZ.exe File created C:\windows\system\UZHOKXF.exe.bat XTB.exe File opened for modification C:\windows\HDUFA.exe VLEUR.exe File created C:\windows\ATNWNP.exe.bat YVZKGH.exe File created C:\windows\system\KRS.exe.bat ATNWNP.exe File created C:\windows\system\HTEHT.exe.bat MGZ.exe File opened for modification C:\windows\system\TVELSRQ.exe ODU.exe File opened for modification C:\windows\GCL.exe NOMHKZO.exe File opened for modification C:\windows\CUB.exe JRXA.exe File created C:\windows\system\USCHC.exe.bat WHRRBN.exe File created C:\windows\system\VWI.exe.bat TUY.exe File created C:\windows\BXJTKQ.exe RZEG.exe File opened for modification C:\windows\IDOIN.exe HAK.exe File created C:\windows\system\UZHOKXF.exe XTB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3392 3868 WerFault.exe 80 736 1008 WerFault.exe 88 2736 2044 WerFault.exe 94 4480 4608 WerFault.exe 99 3332 3756 WerFault.exe 106 1300 2668 WerFault.exe 111 2508 2568 WerFault.exe 117 2136 4324 WerFault.exe 122 2076 2892 WerFault.exe 127 3788 4284 WerFault.exe 132 4552 4236 WerFault.exe 137 2840 1308 WerFault.exe 142 1204 5060 WerFault.exe 147 3100 4172 WerFault.exe 152 1300 812 WerFault.exe 157 3732 1944 WerFault.exe 162 932 2268 WerFault.exe 167 3300 5028 WerFault.exe 172 5092 2072 WerFault.exe 177 1156 1328 WerFault.exe 182 880 4260 WerFault.exe 187 2824 2840 WerFault.exe 192 2660 3540 WerFault.exe 197 5048 4836 WerFault.exe 202 2488 928 WerFault.exe 207 3208 2276 WerFault.exe 212 1520 860 WerFault.exe 217 2308 1008 WerFault.exe 222 1168 4480 WerFault.exe 227 3044 3028 WerFault.exe 232 4048 4584 WerFault.exe 237 3608 4940 WerFault.exe 242 1236 2840 WerFault.exe 247 2228 1664 WerFault.exe 252 4484 4376 WerFault.exe 257 2636 4288 WerFault.exe 264 1488 4520 WerFault.exe 269 3912 3504 WerFault.exe 274 4116 2384 WerFault.exe 280 1576 1964 WerFault.exe 285 1912 3284 WerFault.exe 290 3420 3808 WerFault.exe 295 1584 3320 WerFault.exe 300 5028 1352 WerFault.exe 305 4816 5072 WerFault.exe 310 4112 4960 WerFault.exe 315 2740 3032 WerFault.exe 320 4260 3456 WerFault.exe 325 452 4344 WerFault.exe 330 4108 3532 WerFault.exe 335 3284 1108 WerFault.exe 340 3872 2348 WerFault.exe 345 928 1664 WerFault.exe 350 2576 2764 WerFault.exe 355 1748 1020 WerFault.exe 360 4480 4876 WerFault.exe 365 3452 2204 WerFault.exe 370 4020 4620 WerFault.exe 375 452 2384 WerFault.exe 380 1832 5000 WerFault.exe 385 3284 1420 WerFault.exe 390 2112 4232 WerFault.exe 395 2068 2684 WerFault.exe 400 5072 2056 WerFault.exe 405 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 1008 MGZ.exe 1008 MGZ.exe 2044 HTEHT.exe 2044 HTEHT.exe 4608 GWJ.exe 4608 GWJ.exe 3756 XHZ.exe 3756 XHZ.exe 2668 YKQE.exe 2668 YKQE.exe 2568 AXUNCO.exe 2568 AXUNCO.exe 4324 QNI.exe 4324 QNI.exe 2892 ZWKK.exe 2892 ZWKK.exe 4284 NRVL.exe 4284 NRVL.exe 4236 VXAR.exe 4236 VXAR.exe 1308 DCN.exe 1308 DCN.exe 5060 ODU.exe 5060 ODU.exe 4172 TVELSRQ.exe 4172 TVELSRQ.exe 812 LDSRE.exe 812 LDSRE.exe 1944 DGWMKX.exe 1944 DGWMKX.exe 2268 EJMIYHW.exe 2268 EJMIYHW.exe 5028 EEQEMX.exe 5028 EEQEMX.exe 2072 WNFJZO.exe 2072 WNFJZO.exe 1328 VXHZZ.exe 1328 VXHZZ.exe 4260 BTTSN.exe 4260 BTTSN.exe 2840 SBHPA.exe 2840 SBHPA.exe 3540 NOMHKZO.exe 3540 NOMHKZO.exe 4836 GCL.exe 4836 GCL.exe 928 SSEF.exe 928 SSEF.exe 2276 DKHQL.exe 2276 DKHQL.exe 860 LQMEV.exe 860 LQMEV.exe 1008 NOARDBT.exe 1008 NOARDBT.exe 4480 XLFLKJC.exe 4480 XLFLKJC.exe 3028 BPDG.exe 3028 BPDG.exe 4584 VHTRB.exe 4584 VHTRB.exe 4940 RIVT.exe 4940 RIVT.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 1008 MGZ.exe 1008 MGZ.exe 2044 HTEHT.exe 2044 HTEHT.exe 4608 GWJ.exe 4608 GWJ.exe 3756 XHZ.exe 3756 XHZ.exe 2668 YKQE.exe 2668 YKQE.exe 2568 AXUNCO.exe 2568 AXUNCO.exe 4324 QNI.exe 4324 QNI.exe 2892 ZWKK.exe 2892 ZWKK.exe 4284 NRVL.exe 4284 NRVL.exe 4236 VXAR.exe 4236 VXAR.exe 1308 DCN.exe 1308 DCN.exe 5060 ODU.exe 5060 ODU.exe 4172 TVELSRQ.exe 4172 TVELSRQ.exe 812 LDSRE.exe 812 LDSRE.exe 1944 DGWMKX.exe 1944 DGWMKX.exe 2268 EJMIYHW.exe 2268 EJMIYHW.exe 5028 EEQEMX.exe 5028 EEQEMX.exe 2072 WNFJZO.exe 2072 WNFJZO.exe 1328 VXHZZ.exe 1328 VXHZZ.exe 4260 BTTSN.exe 4260 BTTSN.exe 2840 SBHPA.exe 2840 SBHPA.exe 3540 NOMHKZO.exe 3540 NOMHKZO.exe 4836 GCL.exe 4836 GCL.exe 928 SSEF.exe 928 SSEF.exe 2276 DKHQL.exe 2276 DKHQL.exe 860 LQMEV.exe 860 LQMEV.exe 1008 NOARDBT.exe 1008 NOARDBT.exe 4480 XLFLKJC.exe 4480 XLFLKJC.exe 3028 BPDG.exe 3028 BPDG.exe 4584 VHTRB.exe 4584 VHTRB.exe 4940 RIVT.exe 4940 RIVT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 3712 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 84 PID 3868 wrote to memory of 3712 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 84 PID 3868 wrote to memory of 3712 3868 b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe 84 PID 3712 wrote to memory of 1008 3712 cmd.exe 88 PID 3712 wrote to memory of 1008 3712 cmd.exe 88 PID 3712 wrote to memory of 1008 3712 cmd.exe 88 PID 1008 wrote to memory of 3208 1008 MGZ.exe 90 PID 1008 wrote to memory of 3208 1008 MGZ.exe 90 PID 1008 wrote to memory of 3208 1008 MGZ.exe 90 PID 3208 wrote to memory of 2044 3208 cmd.exe 94 PID 3208 wrote to memory of 2044 3208 cmd.exe 94 PID 3208 wrote to memory of 2044 3208 cmd.exe 94 PID 2044 wrote to memory of 4612 2044 HTEHT.exe 95 PID 2044 wrote to memory of 4612 2044 HTEHT.exe 95 PID 2044 wrote to memory of 4612 2044 HTEHT.exe 95 PID 4612 wrote to memory of 4608 4612 cmd.exe 99 PID 4612 wrote to memory of 4608 4612 cmd.exe 99 PID 4612 wrote to memory of 4608 4612 cmd.exe 99 PID 4608 wrote to memory of 4256 4608 GWJ.exe 102 PID 4608 wrote to memory of 4256 4608 GWJ.exe 102 PID 4608 wrote to memory of 4256 4608 GWJ.exe 102 PID 4256 wrote to memory of 3756 4256 cmd.exe 106 PID 4256 wrote to memory of 3756 4256 cmd.exe 106 PID 4256 wrote to memory of 3756 4256 cmd.exe 106 PID 3756 wrote to memory of 4940 3756 XHZ.exe 107 PID 3756 wrote to memory of 4940 3756 XHZ.exe 107 PID 3756 wrote to memory of 4940 3756 XHZ.exe 107 PID 4940 wrote to memory of 2668 4940 cmd.exe 111 PID 4940 wrote to memory of 2668 4940 cmd.exe 111 PID 4940 wrote to memory of 2668 4940 cmd.exe 111 PID 2668 wrote to memory of 1936 2668 YKQE.exe 113 PID 2668 wrote to memory of 1936 2668 YKQE.exe 113 PID 2668 wrote to memory of 1936 2668 YKQE.exe 113 PID 1936 wrote to memory of 2568 1936 cmd.exe 117 PID 1936 wrote to memory of 2568 1936 cmd.exe 117 PID 1936 wrote to memory of 2568 1936 cmd.exe 117 PID 2568 wrote to memory of 4968 2568 AXUNCO.exe 118 PID 2568 wrote to memory of 4968 2568 AXUNCO.exe 118 PID 2568 wrote to memory of 4968 2568 AXUNCO.exe 118 PID 4968 wrote to memory of 4324 4968 cmd.exe 122 PID 4968 wrote to memory of 4324 4968 cmd.exe 122 PID 4968 wrote to memory of 4324 4968 cmd.exe 122 PID 4324 wrote to memory of 2636 4324 QNI.exe 123 PID 4324 wrote to memory of 2636 4324 QNI.exe 123 PID 4324 wrote to memory of 2636 4324 QNI.exe 123 PID 2636 wrote to memory of 2892 2636 cmd.exe 127 PID 2636 wrote to memory of 2892 2636 cmd.exe 127 PID 2636 wrote to memory of 2892 2636 cmd.exe 127 PID 2892 wrote to memory of 376 2892 ZWKK.exe 128 PID 2892 wrote to memory of 376 2892 ZWKK.exe 128 PID 2892 wrote to memory of 376 2892 ZWKK.exe 128 PID 376 wrote to memory of 4284 376 cmd.exe 132 PID 376 wrote to memory of 4284 376 cmd.exe 132 PID 376 wrote to memory of 4284 376 cmd.exe 132 PID 4284 wrote to memory of 3192 4284 NRVL.exe 133 PID 4284 wrote to memory of 3192 4284 NRVL.exe 133 PID 4284 wrote to memory of 3192 4284 NRVL.exe 133 PID 3192 wrote to memory of 4236 3192 cmd.exe 137 PID 3192 wrote to memory of 4236 3192 cmd.exe 137 PID 3192 wrote to memory of 4236 3192 cmd.exe 137 PID 4236 wrote to memory of 2524 4236 VXAR.exe 138 PID 4236 wrote to memory of 2524 4236 VXAR.exe 138 PID 4236 wrote to memory of 2524 4236 VXAR.exe 138 PID 2524 wrote to memory of 1308 2524 cmd.exe 142
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MGZ.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\windows\SysWOW64\MGZ.exeC:\windows\system32\MGZ.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HTEHT.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\windows\system\HTEHT.exeC:\windows\system\HTEHT.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GWJ.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\windows\system\GWJ.exeC:\windows\system\GWJ.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XHZ.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\windows\system\XHZ.exeC:\windows\system\XHZ.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YKQE.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\windows\system\YKQE.exeC:\windows\system\YKQE.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AXUNCO.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\windows\SysWOW64\AXUNCO.exeC:\windows\system32\AXUNCO.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QNI.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\windows\SysWOW64\QNI.exeC:\windows\system32\QNI.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZWKK.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\windows\ZWKK.exeC:\windows\ZWKK.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NRVL.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\windows\NRVL.exeC:\windows\NRVL.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VXAR.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\windows\SysWOW64\VXAR.exeC:\windows\system32\VXAR.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DCN.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\windows\DCN.exeC:\windows\DCN.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ODU.exe.bat" "24⤵PID:4796
-
C:\windows\ODU.exeC:\windows\ODU.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TVELSRQ.exe.bat" "26⤵PID:1828
-
C:\windows\system\TVELSRQ.exeC:\windows\system\TVELSRQ.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LDSRE.exe.bat" "28⤵PID:4048
-
C:\windows\SysWOW64\LDSRE.exeC:\windows\system32\LDSRE.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DGWMKX.exe.bat" "30⤵PID:2660
-
C:\windows\SysWOW64\DGWMKX.exeC:\windows\system32\DGWMKX.exe31⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EJMIYHW.exe.bat" "32⤵PID:1860
-
C:\windows\EJMIYHW.exeC:\windows\EJMIYHW.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EEQEMX.exe.bat" "34⤵PID:4864
-
C:\windows\EEQEMX.exeC:\windows\EEQEMX.exe35⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WNFJZO.exe.bat" "36⤵PID:5016
-
C:\windows\WNFJZO.exeC:\windows\WNFJZO.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VXHZZ.exe.bat" "38⤵PID:3376
-
C:\windows\system\VXHZZ.exeC:\windows\system\VXHZZ.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BTTSN.exe.bat" "40⤵PID:1280
-
C:\windows\system\BTTSN.exeC:\windows\system\BTTSN.exe41⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SBHPA.exe.bat" "42⤵PID:4112
-
C:\windows\SBHPA.exeC:\windows\SBHPA.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOMHKZO.exe.bat" "44⤵PID:4392
-
C:\windows\SysWOW64\NOMHKZO.exeC:\windows\system32\NOMHKZO.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GCL.exe.bat" "46⤵PID:1160
-
C:\windows\GCL.exeC:\windows\GCL.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SSEF.exe.bat" "48⤵PID:4872
-
C:\windows\SysWOW64\SSEF.exeC:\windows\system32\SSEF.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DKHQL.exe.bat" "50⤵PID:2148
-
C:\windows\system\DKHQL.exeC:\windows\system\DKHQL.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LQMEV.exe.bat" "52⤵PID:3828
-
C:\windows\LQMEV.exeC:\windows\LQMEV.exe53⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NOARDBT.exe.bat" "54⤵PID:3708
-
C:\windows\NOARDBT.exeC:\windows\NOARDBT.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XLFLKJC.exe.bat" "56⤵PID:3216
-
C:\windows\SysWOW64\XLFLKJC.exeC:\windows\system32\XLFLKJC.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BPDG.exe.bat" "58⤵PID:2224
-
C:\windows\SysWOW64\BPDG.exeC:\windows\system32\BPDG.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VHTRB.exe.bat" "60⤵PID:3912
-
C:\windows\system\VHTRB.exeC:\windows\system\VHTRB.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RIVT.exe.bat" "62⤵PID:3212
-
C:\windows\SysWOW64\RIVT.exeC:\windows\system32\RIVT.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BFI.exe.bat" "64⤵PID:3532
-
C:\windows\SysWOW64\BFI.exeC:\windows\system32\BFI.exe65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FVPOZA.exe.bat" "66⤵PID:232
-
C:\windows\system\FVPOZA.exeC:\windows\system\FVPOZA.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CORQL.exe.bat" "68⤵PID:1516
-
C:\windows\SysWOW64\CORQL.exeC:\windows\system32\CORQL.exe69⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HTJFB.exe.bat" "70⤵PID:3196
-
C:\windows\HTJFB.exeC:\windows\HTJFB.exe71⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJKFIVS.exe.bat" "72⤵PID:5072
-
C:\windows\SysWOW64\OJKFIVS.exeC:\windows\system32\OJKFIVS.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WXWLKT.exe.bat" "74⤵PID:668
-
C:\windows\WXWLKT.exeC:\windows\WXWLKT.exe75⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UNK.exe.bat" "76⤵PID:2968
-
C:\windows\UNK.exeC:\windows\UNK.exe77⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KDJ.exe.bat" "78⤵PID:4396
-
C:\windows\SysWOW64\KDJ.exeC:\windows\system32\KDJ.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGNKR.exe.bat" "80⤵PID:1932
-
C:\windows\system\LGNKR.exeC:\windows\system\LGNKR.exe81⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JRXA.exe.bat" "82⤵PID:4476
-
C:\windows\system\JRXA.exeC:\windows\system\JRXA.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CUB.exe.bat" "84⤵PID:1300
-
C:\windows\CUB.exeC:\windows\CUB.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZGCQMN.exe.bat" "86⤵PID:1484
-
C:\windows\SysWOW64\KZGCQMN.exeC:\windows\system32\KZGCQMN.exe87⤵
- Checks computer location settings
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XKWBE.exe.bat" "88⤵PID:2076
-
C:\windows\XKWBE.exeC:\windows\XKWBE.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ASFXLJE.exe.bat" "90⤵PID:1020
-
C:\windows\SysWOW64\ASFXLJE.exeC:\windows\system32\ASFXLJE.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PNOC.exe.bat" "92⤵PID:3308
-
C:\windows\SysWOW64\PNOC.exeC:\windows\system32\PNOC.exe93⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OYR.exe.bat" "94⤵PID:4488
-
C:\windows\OYR.exeC:\windows\OYR.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NRUIO.exe.bat" "96⤵PID:880
-
C:\windows\system\NRUIO.exeC:\windows\system\NRUIO.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ERI.exe.bat" "98⤵PID:2760
-
C:\windows\SysWOW64\ERI.exeC:\windows\system32\ERI.exe99⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KMUGGVI.exe.bat" "100⤵PID:2444
-
C:\windows\system\KMUGGVI.exeC:\windows\system\KMUGGVI.exe101⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HNEIKA.exe.bat" "102⤵PID:4756
-
C:\windows\system\HNEIKA.exeC:\windows\system\HNEIKA.exe103⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EDRA.exe.bat" "104⤵PID:1260
-
C:\windows\system\EDRA.exeC:\windows\system\EDRA.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ITYAMZ.exe.bat" "106⤵PID:1520
-
C:\windows\SysWOW64\ITYAMZ.exeC:\windows\system32\ITYAMZ.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OGKBSN.exe.bat" "108⤵PID:2068
-
C:\windows\SysWOW64\OGKBSN.exeC:\windows\system32\OGKBSN.exe109⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WUOHC.exe.bat" "110⤵PID:3488
-
C:\windows\SysWOW64\WUOHC.exeC:\windows\system32\WUOHC.exe111⤵
- Checks computer location settings
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RHTRNMV.exe.bat" "112⤵PID:3932
-
C:\windows\SysWOW64\RHTRNMV.exeC:\windows\system32\RHTRNMV.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UCK.exe.bat" "114⤵PID:5092
-
C:\windows\SysWOW64\UCK.exeC:\windows\system32\UCK.exe115⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HAK.exe.bat" "116⤵PID:1932
-
C:\windows\SysWOW64\HAK.exeC:\windows\system32\HAK.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IDOIN.exe.bat" "118⤵PID:4932
-
C:\windows\IDOIN.exeC:\windows\IDOIN.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XTB.exe.bat" "120⤵PID:1116
-
C:\windows\system\XTB.exeC:\windows\system\XTB.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-