Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 02:02
Behavioral task
behavioral1
Sample
739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
General
-
Target
739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe
-
Size
384KB
-
MD5
739337e86d5fc3ee3c47179715863680
-
SHA1
e6609f359784adc53ee9fcdc360489b70045aebe
-
SHA256
89640cd301e0dfb7431636bd53acc1c8592659cd90f1e96b2ff75d85375b4be6
-
SHA512
3e69346b9878daa96853b983702a434365101e4a6302b35e96497d1245242cba950903b6aeee387eb6f876b19bfd0414a546cbab6faf63a5ffa9c07e2b829b02
-
SSDEEP
6144:CXKv4gdFKjnyRlJfjkEjiPISUOgW9X+hOGzC/NM:xQXjyljkmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 19 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a0000000233dd-9.dat family_berbew behavioral2/files/0x00070000000233ee-12.dat family_berbew behavioral2/files/0x00090000000233e2-32.dat family_berbew behavioral2/files/0x000a0000000233f0-44.dat family_berbew behavioral2/files/0x000d0000000233ed-58.dat family_berbew behavioral2/files/0x001a00000002293b-82.dat family_berbew behavioral2/files/0x00110000000233ec-94.dat family_berbew behavioral2/files/0x001a0000000233e7-105.dat family_berbew behavioral2/files/0x000900000002335e-117.dat family_berbew behavioral2/files/0x0005000000022ac3-129.dat family_berbew behavioral2/files/0x0019000000023358-141.dat family_berbew behavioral2/files/0x000f00000002336d-152.dat family_berbew behavioral2/files/0x0014000000023370-177.dat family_berbew behavioral2/files/0x0013000000023371-189.dat family_berbew behavioral2/files/0x00150000000233ef-202.dat family_berbew behavioral2/files/0x001800000002337a-214.dat family_berbew behavioral2/files/0x0017000000023373-225.dat family_berbew behavioral2/files/0x00210000000233f2-237.dat family_berbew behavioral2/files/0x001c0000000233f3-248.dat family_berbew -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RQV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AQN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UNMH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UJFLWR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VGGBU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LSV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation MDEBXL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation PQVCQFK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WHNBUH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YCFZYD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YPDBPY.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QLOLKHL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BER.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BDNSMHS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KQFJZS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KUVKZMC.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OKCK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HFTWHIA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation IYLRDQX.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EESDJMD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OCYXQU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NRXZUYN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZUZMU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LAW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HMJSB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YHW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SQXYEI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VANUJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WISKK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NZMGO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RIUZRR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BLD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EPDPBM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation MICZW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TRNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation INKTUN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SADDT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FCBH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HLYKE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GOVOZKF.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XGATNJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DGHH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CTA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VRWYJJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation IPD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QVH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OJKFIVS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DCTVB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BSXFM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LIRKT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RIM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QJIV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation JMHZP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZHEMD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XUYKDZG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LAKE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RHD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NOGA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UGNBMNH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QCOU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HOYNK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TFEHAZG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LWCVIBD.exe -
Executes dropped EXE 64 IoCs
pid Process 4828 QLOLKHL.exe 2720 BER.exe 4284 HZDX.exe 2244 EFV.exe 3392 KAMNLJ.exe 1716 WQFNGNI.exe 1348 YYOKNH.exe 3516 IZQPR.exe 2360 ZHEMD.exe 4504 AKUISF.exe 232 ANYM.exe 4856 OLY.exe 2276 POOM.exe 5020 IGEW.exe 4620 QUR.exe 2056 VHWTZGR.exe 2316 JNCQGQT.exe 4980 RAHWQO.exe 3592 BQURYW.exe 1688 HLYKE.exe 3272 DWOIS.exe 1216 QCOU.exe 3080 PSIXPNS.exe 2748 GNG.exe 2936 VSL.exe 4260 NQDRVI.exe 3592 HLI.exe 2568 EESDJMD.exe 2244 OCYXQU.exe 2684 LCIZUY.exe 820 VANUJ.exe 232 MICZW.exe 3920 QQI.exe 3152 BJLS.exe 2692 CHTBT.exe 3600 XUYKDZG.exe 4856 FACRGG.exe 2416 LAKE.exe 3972 TOX.exe 4472 TRNH.exe 2396 VGGBU.exe 4568 OJKFIVS.exe 4984 JUADOYO.exe 1268 RKB.exe 4608 KDJ.exe 1948 FJDKX.exe 3400 CGBHEBP.exe 864 BUIK.exe 4292 LSV.exe 1228 HPGMHFV.exe 2344 BDNSMHS.exe 1268 FTTSY.exe 3392 YLJDI.exe 2252 NRGA.exe 836 APO.exe 4940 DCTVB.exe 612 PNQAT.exe 1632 YVKFWRM.exe 4392 GBXMHP.exe 2860 OTG.exe 1568 UGJ.exe 1220 MPLT.exe 2952 MNFVYRX.exe 1552 UXOWLVM.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\APO.exe.bat NRGA.exe File opened for modification C:\windows\SysWOW64\HOYNK.exe VWVV.exe File created C:\windows\SysWOW64\MIMJV.exe.bat SQXYEI.exe File created C:\windows\SysWOW64\POOM.exe.bat OLY.exe File created C:\windows\SysWOW64\GNG.exe.bat PSIXPNS.exe File created C:\windows\SysWOW64\ALB.exe.bat LIRKT.exe File created C:\windows\SysWOW64\YGIDTL.exe QADWJMS.exe File opened for modification C:\windows\SysWOW64\QHYQKZ.exe LCFBUET.exe File created C:\windows\SysWOW64\FTTSY.exe.bat BDNSMHS.exe File opened for modification C:\windows\SysWOW64\RKGT.exe SADDT.exe File opened for modification C:\windows\SysWOW64\VGGBU.exe TRNH.exe File opened for modification C:\windows\SysWOW64\MDEBXL.exe INKTUN.exe File created C:\windows\SysWOW64\SADDT.exe HHOSK.exe File created C:\windows\SysWOW64\LIRKT.exe BLD.exe File created C:\windows\SysWOW64\NZMGO.exe TMH.exe File created C:\windows\SysWOW64\YGIDTL.exe.bat QADWJMS.exe File created C:\windows\SysWOW64\LCIZUY.exe OCYXQU.exe File created C:\windows\SysWOW64\MICZW.exe.bat VANUJ.exe File opened for modification C:\windows\SysWOW64\OJKFIVS.exe VGGBU.exe File created C:\windows\SysWOW64\BUIK.exe.bat CGBHEBP.exe File opened for modification C:\windows\SysWOW64\NZMGO.exe TMH.exe File created C:\windows\SysWOW64\VWVV.exe YGIDTL.exe File opened for modification C:\windows\SysWOW64\VHWTZGR.exe QUR.exe File created C:\windows\SysWOW64\MICZW.exe VANUJ.exe File created C:\windows\SysWOW64\LCIZUY.exe.bat OCYXQU.exe File opened for modification C:\windows\SysWOW64\LCWO.exe WHNBUH.exe File created C:\windows\SysWOW64\UPWM.exe.bat DGHH.exe File opened for modification C:\windows\SysWOW64\LIRKT.exe BLD.exe File created C:\windows\SysWOW64\LIRKT.exe.bat BLD.exe File opened for modification C:\windows\SysWOW64\PILP.exe ZKXYQJX.exe File opened for modification C:\windows\SysWOW64\ANYM.exe AKUISF.exe File opened for modification C:\windows\SysWOW64\POOM.exe OLY.exe File created C:\windows\SysWOW64\LCWO.exe.bat WHNBUH.exe File created C:\windows\SysWOW64\UPWM.exe DGHH.exe File created C:\windows\SysWOW64\ZUZMU.exe HRWIPXB.exe File created C:\windows\SysWOW64\VHWTZGR.exe QUR.exe File opened for modification C:\windows\SysWOW64\BUIK.exe CGBHEBP.exe File created C:\windows\SysWOW64\UGJ.exe.bat OTG.exe File opened for modification C:\windows\SysWOW64\INKTUN.exe CSYSOY.exe File created C:\windows\SysWOW64\TFZ.exe ACNNN.exe File created C:\windows\SysWOW64\TFZ.exe.bat ACNNN.exe File created C:\windows\SysWOW64\HMJSB.exe UJFLWR.exe File created C:\windows\SysWOW64\QQI.exe MICZW.exe File created C:\windows\SysWOW64\KDJ.exe RKB.exe File created C:\windows\SysWOW64\JUADOYO.exe.bat OJKFIVS.exe File created C:\windows\SysWOW64\PQVCQFK.exe.bat MDEBXL.exe File opened for modification C:\windows\SysWOW64\QVH.exe IPD.exe File created C:\windows\SysWOW64\MIMJV.exe SQXYEI.exe File created C:\windows\SysWOW64\ANYM.exe.bat AKUISF.exe File opened for modification C:\windows\SysWOW64\GNG.exe PSIXPNS.exe File opened for modification C:\windows\SysWOW64\CSYSOY.exe WRZE.exe File created C:\windows\SysWOW64\KZSAYR.exe RHD.exe File created C:\windows\SysWOW64\YSZPPT.exe.bat BSXFM.exe File created C:\windows\SysWOW64\WISKK.exe.bat YSZPPT.exe File opened for modification C:\windows\SysWOW64\ALB.exe LIRKT.exe File created C:\windows\SysWOW64\QVH.exe.bat IPD.exe File created C:\windows\SysWOW64\POOM.exe OLY.exe File opened for modification C:\windows\SysWOW64\UGJ.exe OTG.exe File created C:\windows\SysWOW64\RZKDH.exe.bat LYD.exe File opened for modification C:\windows\SysWOW64\HMJSB.exe UJFLWR.exe File opened for modification C:\windows\SysWOW64\UPWM.exe DGHH.exe File opened for modification C:\windows\SysWOW64\KDJ.exe RKB.exe File created C:\windows\SysWOW64\CSYSOY.exe WRZE.exe File created C:\windows\SysWOW64\INKTUN.exe.bat CSYSOY.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\windows\system\YHW.exe.bat NZPE.exe File created C:\windows\system\CTA.exe.bat SVUODN.exe File opened for modification C:\windows\VRGF.exe KYD.exe File opened for modification C:\windows\system\OTG.exe GBXMHP.exe File created C:\windows\system\KUL.exe IWFR.exe File created C:\windows\TMH.exe ZUZMU.exe File created C:\windows\system\ACNNN.exe.bat UPWM.exe File created C:\windows\system\FKQPY.exe.bat OKCK.exe File created C:\windows\system\QKNT.exe.bat RZKDH.exe File created C:\windows\system\UGNBMNH.exe.bat UNMH.exe File created C:\windows\NQDRVI.exe VSL.exe File created C:\windows\system\SGGJ.exe KQFJZS.exe File created C:\windows\system\RYAXR.exe USCHC.exe File created C:\windows\NMV.exe PQVCQFK.exe File opened for modification C:\windows\system\COAMS.exe AQN.exe File created C:\windows\system\IYLRDQX.exe QVH.exe File created C:\windows\XQO.exe.bat IANTT.exe File created C:\windows\system\QUR.exe.bat IGEW.exe File opened for modification C:\windows\system\EESDJMD.exe HLI.exe File created C:\windows\QJIV.exe.bat MTCNWS.exe File created C:\windows\QLOLKHL.exe 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe File created C:\windows\system\QUTRO.exe KUL.exe File created C:\windows\system\MTCNWS.exe.bat CTA.exe File opened for modification C:\windows\system\YCFZYD.exe WEMFROA.exe File created C:\windows\system\YCFZYD.exe.bat WEMFROA.exe File opened for modification C:\windows\IANTT.exe TFEHAZG.exe File created C:\windows\system\AKUISF.exe ZHEMD.exe File opened for modification C:\windows\system\YVKFWRM.exe PNQAT.exe File created C:\windows\system\YVKFWRM.exe.bat PNQAT.exe File opened for modification C:\windows\IPD.exe NEMQZ.exe File created C:\windows\system\VRWYJJ.exe XQO.exe File opened for modification C:\windows\MPLT.exe UGJ.exe File created C:\windows\system\XGATNJ.exe.bat WISKK.exe File opened for modification C:\windows\system\IWFR.exe TGESJEC.exe File created C:\windows\system\EPDPBM.exe.bat LMZMOWI.exe File created C:\windows\system\RQV.exe.bat TPNIG.exe File created C:\windows\system\UNMH.exe.bat SFDLR.exe File created C:\windows\CHTBT.exe.bat BJLS.exe File created C:\windows\FACRGG.exe.bat XUYKDZG.exe File created C:\windows\MKOW.exe.bat NZMGO.exe File opened for modification C:\windows\QIXEX.exe RQV.exe File created C:\windows\system\KUWGR.exe.bat HMJSB.exe File created C:\windows\VVW.exe UXOWLVM.exe File opened for modification C:\windows\BLD.exe TFZ.exe File opened for modification C:\windows\ZDJCEZG.exe RIM.exe File opened for modification C:\windows\RHD.exe LMEOK.exe File created C:\windows\system\DGHH.exe.bat XGATNJ.exe File created C:\windows\system\ACNNN.exe UPWM.exe File opened for modification C:\windows\system\QUTRO.exe KUL.exe File created C:\windows\ZOZFBP.exe.bat RIUZRR.exe File opened for modification C:\windows\system\ZHEMD.exe IZQPR.exe File created C:\windows\system\QUR.exe IGEW.exe File opened for modification C:\windows\VSL.exe GNG.exe File created C:\windows\KUVKZMC.exe.bat YHW.exe File created C:\windows\system\LMZMOWI.exe QJIV.exe File created C:\windows\MNFVYRX.exe MPLT.exe File created C:\windows\system\SVUODN.exe.bat FKQPY.exe File created C:\windows\system\RQV.exe TPNIG.exe File created C:\windows\VANUJ.exe.bat LCIZUY.exe File opened for modification C:\windows\system\BDNSMHS.exe HPGMHFV.exe File created C:\windows\system\GBXMHP.exe YVKFWRM.exe File opened for modification C:\windows\VVW.exe UXOWLVM.exe File created C:\windows\VJFSK.exe GOVOZKF.exe File opened for modification C:\windows\system\DGHH.exe XGATNJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3676 4448 WerFault.exe 82 4168 4828 WerFault.exe 87 2500 2720 WerFault.exe 94 2088 4284 WerFault.exe 100 4608 2244 WerFault.exe 107 2056 3392 WerFault.exe 112 4568 1716 WerFault.exe 119 4396 1348 WerFault.exe 124 516 3516 WerFault.exe 129 244 2360 WerFault.exe 136 1436 4504 WerFault.exe 142 2716 232 WerFault.exe 148 1172 4856 WerFault.exe 153 3516 2276 WerFault.exe 160 4080 5020 WerFault.exe 165 1468 4620 WerFault.exe 170 2344 2056 WerFault.exe 175 2948 2316 WerFault.exe 180 4396 4980 WerFault.exe 185 2252 3592 WerFault.exe 190 4284 1688 WerFault.exe 195 3912 3272 WerFault.exe 200 1944 1216 WerFault.exe 205 2816 3080 WerFault.exe 210 892 2748 WerFault.exe 215 1676 2936 WerFault.exe 220 3948 4260 WerFault.exe 225 3616 3592 WerFault.exe 230 1972 2568 WerFault.exe 235 836 2244 WerFault.exe 240 3700 2684 WerFault.exe 245 2544 820 WerFault.exe 250 516 232 WerFault.exe 255 2908 3920 WerFault.exe 260 1480 3152 WerFault.exe 265 5080 2692 WerFault.exe 271 4272 3600 WerFault.exe 276 3656 4856 WerFault.exe 281 820 2416 WerFault.exe 286 1444 3972 WerFault.exe 292 1736 4472 WerFault.exe 297 836 2396 WerFault.exe 302 1316 4568 WerFault.exe 308 4876 4984 WerFault.exe 313 1544 1268 WerFault.exe 318 3648 4608 WerFault.exe 323 3964 1948 WerFault.exe 327 3992 3400 WerFault.exe 333 3304 864 WerFault.exe 338 4528 4292 WerFault.exe 343 1028 1228 WerFault.exe 348 1544 2344 WerFault.exe 353 1168 1268 WerFault.exe 358 1524 3392 WerFault.exe 363 3676 2252 WerFault.exe 368 3608 836 WerFault.exe 373 3852 4940 WerFault.exe 378 2392 612 WerFault.exe 383 3884 1632 WerFault.exe 388 2752 4392 WerFault.exe 393 3164 2860 WerFault.exe 398 3392 1568 WerFault.exe 403 4260 1220 WerFault.exe 408 4528 2952 WerFault.exe 413 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 4828 QLOLKHL.exe 4828 QLOLKHL.exe 2720 BER.exe 2720 BER.exe 4284 HZDX.exe 4284 HZDX.exe 2244 EFV.exe 2244 EFV.exe 3392 KAMNLJ.exe 3392 KAMNLJ.exe 1716 WQFNGNI.exe 1716 WQFNGNI.exe 1348 YYOKNH.exe 1348 YYOKNH.exe 3516 IZQPR.exe 3516 IZQPR.exe 2360 ZHEMD.exe 2360 ZHEMD.exe 4504 AKUISF.exe 4504 AKUISF.exe 232 ANYM.exe 232 ANYM.exe 4856 OLY.exe 4856 OLY.exe 2276 POOM.exe 2276 POOM.exe 5020 IGEW.exe 5020 IGEW.exe 4620 QUR.exe 4620 QUR.exe 2056 VHWTZGR.exe 2056 VHWTZGR.exe 2316 JNCQGQT.exe 2316 JNCQGQT.exe 4980 RAHWQO.exe 4980 RAHWQO.exe 3592 BQURYW.exe 3592 BQURYW.exe 1688 HLYKE.exe 1688 HLYKE.exe 3272 DWOIS.exe 3272 DWOIS.exe 1216 QCOU.exe 1216 QCOU.exe 3080 PSIXPNS.exe 3080 PSIXPNS.exe 2748 GNG.exe 2748 GNG.exe 2936 VSL.exe 2936 VSL.exe 4260 NQDRVI.exe 4260 NQDRVI.exe 3592 HLI.exe 3592 HLI.exe 2568 EESDJMD.exe 2568 EESDJMD.exe 2244 OCYXQU.exe 2244 OCYXQU.exe 2684 LCIZUY.exe 2684 LCIZUY.exe 820 VANUJ.exe 820 VANUJ.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 4828 QLOLKHL.exe 4828 QLOLKHL.exe 2720 BER.exe 2720 BER.exe 4284 HZDX.exe 4284 HZDX.exe 2244 EFV.exe 2244 EFV.exe 3392 KAMNLJ.exe 3392 KAMNLJ.exe 1716 WQFNGNI.exe 1716 WQFNGNI.exe 1348 YYOKNH.exe 1348 YYOKNH.exe 3516 IZQPR.exe 3516 IZQPR.exe 2360 ZHEMD.exe 2360 ZHEMD.exe 4504 AKUISF.exe 4504 AKUISF.exe 232 ANYM.exe 232 ANYM.exe 4856 OLY.exe 4856 OLY.exe 2276 POOM.exe 2276 POOM.exe 5020 IGEW.exe 5020 IGEW.exe 4620 QUR.exe 4620 QUR.exe 2056 VHWTZGR.exe 2056 VHWTZGR.exe 2316 JNCQGQT.exe 2316 JNCQGQT.exe 4980 RAHWQO.exe 4980 RAHWQO.exe 3592 BQURYW.exe 3592 BQURYW.exe 1688 HLYKE.exe 1688 HLYKE.exe 3272 DWOIS.exe 3272 DWOIS.exe 1216 QCOU.exe 1216 QCOU.exe 3080 PSIXPNS.exe 3080 PSIXPNS.exe 2748 GNG.exe 2748 GNG.exe 2936 VSL.exe 2936 VSL.exe 4260 NQDRVI.exe 4260 NQDRVI.exe 3592 HLI.exe 3592 HLI.exe 2568 EESDJMD.exe 2568 EESDJMD.exe 2244 OCYXQU.exe 2244 OCYXQU.exe 2684 LCIZUY.exe 2684 LCIZUY.exe 820 VANUJ.exe 820 VANUJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4448 wrote to memory of 1944 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 83 PID 4448 wrote to memory of 1944 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 83 PID 4448 wrote to memory of 1944 4448 739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe 83 PID 1944 wrote to memory of 4828 1944 cmd.exe 87 PID 1944 wrote to memory of 4828 1944 cmd.exe 87 PID 1944 wrote to memory of 4828 1944 cmd.exe 87 PID 4828 wrote to memory of 836 4828 QLOLKHL.exe 90 PID 4828 wrote to memory of 836 4828 QLOLKHL.exe 90 PID 4828 wrote to memory of 836 4828 QLOLKHL.exe 90 PID 836 wrote to memory of 2720 836 cmd.exe 94 PID 836 wrote to memory of 2720 836 cmd.exe 94 PID 836 wrote to memory of 2720 836 cmd.exe 94 PID 2720 wrote to memory of 3076 2720 BER.exe 96 PID 2720 wrote to memory of 3076 2720 BER.exe 96 PID 2720 wrote to memory of 3076 2720 BER.exe 96 PID 3076 wrote to memory of 4284 3076 cmd.exe 100 PID 3076 wrote to memory of 4284 3076 cmd.exe 100 PID 3076 wrote to memory of 4284 3076 cmd.exe 100 PID 4284 wrote to memory of 1000 4284 HZDX.exe 103 PID 4284 wrote to memory of 1000 4284 HZDX.exe 103 PID 4284 wrote to memory of 1000 4284 HZDX.exe 103 PID 1000 wrote to memory of 2244 1000 cmd.exe 107 PID 1000 wrote to memory of 2244 1000 cmd.exe 107 PID 1000 wrote to memory of 2244 1000 cmd.exe 107 PID 2244 wrote to memory of 1908 2244 EFV.exe 108 PID 2244 wrote to memory of 1908 2244 EFV.exe 108 PID 2244 wrote to memory of 1908 2244 EFV.exe 108 PID 1908 wrote to memory of 3392 1908 cmd.exe 112 PID 1908 wrote to memory of 3392 1908 cmd.exe 112 PID 1908 wrote to memory of 3392 1908 cmd.exe 112 PID 3392 wrote to memory of 4080 3392 KAMNLJ.exe 115 PID 3392 wrote to memory of 4080 3392 KAMNLJ.exe 115 PID 3392 wrote to memory of 4080 3392 KAMNLJ.exe 115 PID 4080 wrote to memory of 1716 4080 cmd.exe 119 PID 4080 wrote to memory of 1716 4080 cmd.exe 119 PID 4080 wrote to memory of 1716 4080 cmd.exe 119 PID 1716 wrote to memory of 4764 1716 WQFNGNI.exe 120 PID 1716 wrote to memory of 4764 1716 WQFNGNI.exe 120 PID 1716 wrote to memory of 4764 1716 WQFNGNI.exe 120 PID 4764 wrote to memory of 1348 4764 cmd.exe 124 PID 4764 wrote to memory of 1348 4764 cmd.exe 124 PID 4764 wrote to memory of 1348 4764 cmd.exe 124 PID 1348 wrote to memory of 956 1348 YYOKNH.exe 125 PID 1348 wrote to memory of 956 1348 YYOKNH.exe 125 PID 1348 wrote to memory of 956 1348 YYOKNH.exe 125 PID 956 wrote to memory of 3516 956 cmd.exe 129 PID 956 wrote to memory of 3516 956 cmd.exe 129 PID 956 wrote to memory of 3516 956 cmd.exe 129 PID 3516 wrote to memory of 2276 3516 IZQPR.exe 132 PID 3516 wrote to memory of 2276 3516 IZQPR.exe 132 PID 3516 wrote to memory of 2276 3516 IZQPR.exe 132 PID 2276 wrote to memory of 2360 2276 cmd.exe 136 PID 2276 wrote to memory of 2360 2276 cmd.exe 136 PID 2276 wrote to memory of 2360 2276 cmd.exe 136 PID 2360 wrote to memory of 2756 2360 ZHEMD.exe 138 PID 2360 wrote to memory of 2756 2360 ZHEMD.exe 138 PID 2360 wrote to memory of 2756 2360 ZHEMD.exe 138 PID 2756 wrote to memory of 4504 2756 cmd.exe 142 PID 2756 wrote to memory of 4504 2756 cmd.exe 142 PID 2756 wrote to memory of 4504 2756 cmd.exe 142 PID 4504 wrote to memory of 1628 4504 AKUISF.exe 144 PID 4504 wrote to memory of 1628 4504 AKUISF.exe 144 PID 4504 wrote to memory of 1628 4504 AKUISF.exe 144 PID 1628 wrote to memory of 232 1628 cmd.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\739337e86d5fc3ee3c47179715863680_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QLOLKHL.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\windows\QLOLKHL.exeC:\windows\QLOLKHL.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BER.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\windows\system\BER.exeC:\windows\system\BER.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HZDX.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\windows\system\HZDX.exeC:\windows\system\HZDX.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EFV.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\windows\SysWOW64\EFV.exeC:\windows\system32\EFV.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KAMNLJ.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\windows\system\KAMNLJ.exeC:\windows\system\KAMNLJ.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WQFNGNI.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\windows\WQFNGNI.exeC:\windows\WQFNGNI.exe13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YYOKNH.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\windows\YYOKNH.exeC:\windows\YYOKNH.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IZQPR.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\windows\system\IZQPR.exeC:\windows\system\IZQPR.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHEMD.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\windows\system\ZHEMD.exeC:\windows\system\ZHEMD.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AKUISF.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\windows\system\AKUISF.exeC:\windows\system\AKUISF.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANYM.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\windows\SysWOW64\ANYM.exeC:\windows\system32\ANYM.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OLY.exe.bat" "24⤵PID:2232
-
C:\windows\system\OLY.exeC:\windows\system\OLY.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\POOM.exe.bat" "26⤵PID:4524
-
C:\windows\SysWOW64\POOM.exeC:\windows\system32\POOM.exe27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IGEW.exe.bat" "28⤵PID:3864
-
C:\windows\IGEW.exeC:\windows\IGEW.exe29⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QUR.exe.bat" "30⤵PID:4748
-
C:\windows\system\QUR.exeC:\windows\system\QUR.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VHWTZGR.exe.bat" "32⤵PID:1272
-
C:\windows\SysWOW64\VHWTZGR.exeC:\windows\system32\VHWTZGR.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "34⤵PID:1524
-
C:\windows\JNCQGQT.exeC:\windows\JNCQGQT.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RAHWQO.exe.bat" "36⤵PID:2164
-
C:\windows\SysWOW64\RAHWQO.exeC:\windows\system32\RAHWQO.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BQURYW.exe.bat" "38⤵PID:3852
-
C:\windows\BQURYW.exeC:\windows\BQURYW.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HLYKE.exe.bat" "40⤵PID:4260
-
C:\windows\SysWOW64\HLYKE.exeC:\windows\system32\HLYKE.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DWOIS.exe.bat" "42⤵PID:3016
-
C:\windows\SysWOW64\DWOIS.exeC:\windows\system32\DWOIS.exe43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QCOU.exe.bat" "44⤵PID:1460
-
C:\windows\system\QCOU.exeC:\windows\system\QCOU.exe45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PSIXPNS.exe.bat" "46⤵PID:2952
-
C:\windows\system\PSIXPNS.exeC:\windows\system\PSIXPNS.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GNG.exe.bat" "48⤵PID:2344
-
C:\windows\SysWOW64\GNG.exeC:\windows\system32\GNG.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VSL.exe.bat" "50⤵PID:5028
-
C:\windows\VSL.exeC:\windows\VSL.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQDRVI.exe.bat" "52⤵PID:4432
-
C:\windows\NQDRVI.exeC:\windows\NQDRVI.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HLI.exe.bat" "54⤵PID:1120
-
C:\windows\HLI.exeC:\windows\HLI.exe55⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EESDJMD.exe.bat" "56⤵PID:2232
-
C:\windows\system\EESDJMD.exeC:\windows\system\EESDJMD.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OCYXQU.exe.bat" "58⤵PID:1704
-
C:\windows\SysWOW64\OCYXQU.exeC:\windows\system32\OCYXQU.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCIZUY.exe.bat" "60⤵PID:2740
-
C:\windows\SysWOW64\LCIZUY.exeC:\windows\system32\LCIZUY.exe61⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VANUJ.exe.bat" "62⤵PID:4856
-
C:\windows\VANUJ.exeC:\windows\VANUJ.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MICZW.exe.bat" "64⤵PID:3536
-
C:\windows\SysWOW64\MICZW.exeC:\windows\system32\MICZW.exe65⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QQI.exe.bat" "66⤵PID:3516
-
C:\windows\SysWOW64\QQI.exeC:\windows\system32\QQI.exe67⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BJLS.exe.bat" "68⤵PID:2424
-
C:\windows\system\BJLS.exeC:\windows\system\BJLS.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CHTBT.exe.bat" "70⤵PID:4340
-
C:\windows\CHTBT.exeC:\windows\CHTBT.exe71⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XUYKDZG.exe.bat" "72⤵PID:1036
-
C:\windows\XUYKDZG.exeC:\windows\XUYKDZG.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FACRGG.exe.bat" "74⤵PID:864
-
C:\windows\FACRGG.exeC:\windows\FACRGG.exe75⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LAKE.exe.bat" "76⤵PID:4876
-
C:\windows\LAKE.exeC:\windows\LAKE.exe77⤵
- Checks computer location settings
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TOX.exe.bat" "78⤵PID:4536
-
C:\windows\TOX.exeC:\windows\TOX.exe79⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TRNH.exe.bat" "80⤵PID:224
-
C:\windows\system\TRNH.exeC:\windows\system\TRNH.exe81⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VGGBU.exe.bat" "82⤵PID:3920
-
C:\windows\SysWOW64\VGGBU.exeC:\windows\system32\VGGBU.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OJKFIVS.exe.bat" "84⤵PID:2388
-
C:\windows\SysWOW64\OJKFIVS.exeC:\windows\system32\OJKFIVS.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JUADOYO.exe.bat" "86⤵PID:4504
-
C:\windows\SysWOW64\JUADOYO.exeC:\windows\system32\JUADOYO.exe87⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RKB.exe.bat" "88⤵PID:3092
-
C:\windows\SysWOW64\RKB.exeC:\windows\system32\RKB.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KDJ.exe.bat" "90⤵PID:1912
-
C:\windows\SysWOW64\KDJ.exeC:\windows\system32\KDJ.exe91⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FJDKX.exe.bat" "92⤵PID:3536
-
C:\windows\system\FJDKX.exeC:\windows\system\FJDKX.exe93⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CGBHEBP.exe.bat" "94⤵PID:3616
-
C:\windows\CGBHEBP.exeC:\windows\CGBHEBP.exe95⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUIK.exe.bat" "96⤵PID:444
-
C:\windows\SysWOW64\BUIK.exeC:\windows\system32\BUIK.exe97⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LSV.exe.bat" "98⤵PID:1760
-
C:\windows\system\LSV.exeC:\windows\system\LSV.exe99⤵
- Checks computer location settings
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HPGMHFV.exe.bat" "100⤵PID:4820
-
C:\windows\HPGMHFV.exeC:\windows\HPGMHFV.exe101⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "102⤵PID:412
-
C:\windows\system\BDNSMHS.exeC:\windows\system\BDNSMHS.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FTTSY.exe.bat" "104⤵PID:1172
-
C:\windows\SysWOW64\FTTSY.exeC:\windows\system32\FTTSY.exe105⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLJDI.exe.bat" "106⤵PID:3732
-
C:\windows\SysWOW64\YLJDI.exeC:\windows\system32\YLJDI.exe107⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NRGA.exe.bat" "108⤵PID:2832
-
C:\windows\system\NRGA.exeC:\windows\system\NRGA.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\APO.exe.bat" "110⤵PID:5020
-
C:\windows\SysWOW64\APO.exeC:\windows\system32\APO.exe111⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DCTVB.exe.bat" "112⤵PID:2300
-
C:\windows\system\DCTVB.exeC:\windows\system\DCTVB.exe113⤵
- Checks computer location settings
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PNQAT.exe.bat" "114⤵PID:3700
-
C:\windows\system\PNQAT.exeC:\windows\system\PNQAT.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YVKFWRM.exe.bat" "116⤵PID:440
-
C:\windows\system\YVKFWRM.exeC:\windows\system\YVKFWRM.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GBXMHP.exe.bat" "118⤵PID:1028
-
C:\windows\system\GBXMHP.exeC:\windows\system\GBXMHP.exe119⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OTG.exe.bat" "120⤵PID:2344
-
C:\windows\system\OTG.exeC:\windows\system\OTG.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-