Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 00:03
Behavioral task
behavioral1
Sample
6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe
-
Size
448KB
-
MD5
6e3060e0283732ab49c445ab40128470
-
SHA1
7b2abd49eea3dc18b2032f965944338a93e8efba
-
SHA256
cd9fb30ef57e1c6e3b294282f81f5aee65f508f4d63956dc36a6927164d68a8c
-
SHA512
6acf5b912998691053c3907f36edbac9cf81240f04ff4076f25fc13008acc79a845f770901c20f8612d091d65794ec4254a70a3ee0cf229ef716a944420a256f
-
SSDEEP
12288:1AQ6jn2Hk0ftYmI1TCU4rWNSIOsbJBsbrgAeCiIMiFkmZzcukG2/:1/672HkKtYmI1TCONSIT4gAeCiITzcui
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 19 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\windows\AKGRMX.exe family_berbew C:\Windows\System\PQMGB.exe family_berbew C:\Windows\System\FQH.exe family_berbew C:\Windows\SysWOW64\SBLZPKE.exe family_berbew C:\windows\system\FETQDNA.exe family_berbew C:\Windows\IUCMKHD.exe family_berbew C:\windows\OPO.exe family_berbew C:\windows\SysWOW64\RDFP.exe family_berbew C:\windows\SysWOW64\YBU.exe family_berbew C:\windows\YWYH.exe family_berbew C:\windows\XPOXARJ.exe family_berbew C:\Windows\ZFHRYF.exe family_berbew C:\Windows\SysWOW64\WFRUKKA.exe family_berbew C:\windows\system\BJJSCPL.exe family_berbew C:\Windows\KWTKS.exe family_berbew C:\Windows\EJMIYHW.exe family_berbew C:\Windows\System\KXMJD.exe family_berbew C:\Windows\System\SKQQO.exe family_berbew C:\windows\system\EGJELZR.exe family_berbew -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IBAA.exeZKLVYEF.exeSMLFOYR.exeBWSWLO.exeLIWM.exeUVZKUQ.exeYFFBOQN.exeDECMQX.exeFPGPB.exeZHJ.exeFQBXNA.exeFWGC.exeHTBFT.exeICAP.exeJOCCOOO.exeZOVE.exeILSEMYY.exeSQQCDI.exeFSDAUQG.exeZXUQQV.exeACSVMO.exePAU.exeMGQJMK.exeOVGT.exeHDB.exeBJJSCPL.exeFJNYEC.exeLVZ.exeFWZFY.exeUXTWX.exeXWMSNF.exeGDEL.exeEXTK.exeKXMJD.exeLCFY.exeNSIJ.exeVWI.exeAECYJT.exeQGCIPB.exeVFXR.exeJGKXF.exeZTL.exeFHXCVL.exe6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exeYBU.exeEAMX.exeDPAQ.exeIIZQF.exeWAYMK.exeYDGKHI.exeBES.exeQRAEM.exeSZXSYU.exeZHVMU.exeAWFBTJM.exeCBP.exeNYGXXW.exeLPODS.exeQVYEZM.exeQJRIWB.exeQSERSH.exeBZJ.exeOPO.exeNNFZXAD.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IBAA.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZKLVYEF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SMLFOYR.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BWSWLO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LIWM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UVZKUQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YFFBOQN.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DECMQX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FPGPB.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZHJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FQBXNA.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FWGC.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HTBFT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ICAP.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation JOCCOOO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZOVE.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ILSEMYY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SQQCDI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FSDAUQG.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZXUQQV.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ACSVMO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation PAU.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MGQJMK.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation OVGT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HDB.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BJJSCPL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FJNYEC.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LVZ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FWZFY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation UXTWX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation XWMSNF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation GDEL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation EXTK.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation KXMJD.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LCFY.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation NSIJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation VWI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation AECYJT.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QGCIPB.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation VFXR.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation JGKXF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZTL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation FHXCVL.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YBU.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation EAMX.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DPAQ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation IIZQF.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WAYMK.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation YDGKHI.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BES.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QRAEM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SZXSYU.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ZHVMU.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation AWFBTJM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CBP.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation NYGXXW.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation LPODS.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QVYEZM.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QJRIWB.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation QSERSH.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation BZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation OPO.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation NNFZXAD.exe -
Executes dropped EXE 64 IoCs
Processes:
AKGRMX.exePQMGB.exeFQH.exeSBLZPKE.exeFETQDNA.exeIUCMKHD.exeOPO.exeRDFP.exeKQE.exeYBU.exeYWYH.exeXPOXARJ.exeZFHRYF.exeWFRUKKA.exeNNFZXAD.exeBJJSCPL.exeKWTKS.exeEJMIYHW.exeKXMJD.exeSKQQO.exeEGJELZR.exeFBN.exeHWEK.exeQWGPNGK.exeZKLVYEF.exeIIZQF.exeZSCG.exeAWFBTJM.exePRP.exeCOXR.exeXKCBQP.exeFPGPB.exeLPODS.exeTVAKD.exeSODA.exeLGTL.exeCPHI.exeZHJ.exeSKNOQYC.exeQVYEZM.exeFQBXNA.exeQJRIWB.exeVJSSA.exeXHGFQ.exeUXTWX.exeLIWM.exeEAMX.exeJBASKRC.exeLZB.exeLCFY.exeJCMLFYV.exeVFXR.exeNSIJ.exeXLR.exeIEUBRSJ.exeJGKXF.exeUZFQFI.exeEXTK.exeRVTWXUL.exeQSERSH.exePDPHS.exeCBP.exeFWGC.exeVHJ.exepid process 5092 AKGRMX.exe 4092 PQMGB.exe 1564 FQH.exe 3592 SBLZPKE.exe 4380 FETQDNA.exe 1680 IUCMKHD.exe 688 OPO.exe 1088 RDFP.exe 4444 KQE.exe 2448 YBU.exe 4916 YWYH.exe 516 XPOXARJ.exe 4360 ZFHRYF.exe 316 WFRUKKA.exe 1596 NNFZXAD.exe 4864 BJJSCPL.exe 4808 KWTKS.exe 1560 EJMIYHW.exe 3820 KXMJD.exe 1704 SKQQO.exe 2944 EGJELZR.exe 3516 FBN.exe 4144 HWEK.exe 1044 QWGPNGK.exe 2496 ZKLVYEF.exe 3192 IIZQF.exe 4084 ZSCG.exe 3264 AWFBTJM.exe 4008 PRP.exe 4360 COXR.exe 1500 XKCBQP.exe 3388 FPGPB.exe 2560 LPODS.exe 892 TVAKD.exe 2552 SODA.exe 2232 LGTL.exe 3788 CPHI.exe 4064 ZHJ.exe 4496 SKNOQYC.exe 2420 QVYEZM.exe 2296 FQBXNA.exe 4328 QJRIWB.exe 4812 VJSSA.exe 2336 XHGFQ.exe 1460 UXTWX.exe 2672 LIWM.exe 4616 EAMX.exe 2884 JBASKRC.exe 3640 LZB.exe 4760 LCFY.exe 4648 JCMLFYV.exe 2624 VFXR.exe 912 NSIJ.exe 1604 XLR.exe 4268 IEUBRSJ.exe 2176 JGKXF.exe 2476 UZFQFI.exe 4164 EXTK.exe 3052 RVTWXUL.exe 4744 QSERSH.exe 2228 PDPHS.exe 1752 CBP.exe 2396 FWGC.exe 2968 VHJ.exe -
Drops file in System32 directory 64 IoCs
Processes:
GMGADAR.exeMYOBU.exeCYGTYBP.exeSKYIZKU.exeKQE.exeSYM.exeNYGXXW.exeNZMGO.exeRIUZRR.exeDECMQX.exeMYVICI.exeLJOW.exeMJBO.exePFDH.exeVWI.exeIIZQF.exeFTQQBWB.exeAECIN.exeSKNEZM.exeIBAA.exeLVZ.exeYFFBOQN.exeHDB.exeEGJELZR.exeXHGFQ.exeGCTXA.exeRVTWXUL.exeZRYPQ.exeHWEK.exeZHJ.exeLCFY.exeLWHTPOV.exeRBCFS.exeJBASKRC.exeKEAPON.exeOPO.exeZFHRYF.exeLGTL.exeJBV.exeDOW.exeCBP.exeZXUQQV.exeICAP.exedescription ioc process File opened for modification C:\windows\SysWOW64\AAZQRNG.exe GMGADAR.exe File created C:\windows\SysWOW64\OWPDSQ.exe MYOBU.exe File created C:\windows\SysWOW64\BWSWLO.exe CYGTYBP.exe File opened for modification C:\windows\SysWOW64\HSHHG.exe SKYIZKU.exe File opened for modification C:\windows\SysWOW64\YBU.exe KQE.exe File created C:\windows\SysWOW64\SMZ.exe SYM.exe File created C:\windows\SysWOW64\XWMSNF.exe NYGXXW.exe File opened for modification C:\windows\SysWOW64\OXTP.exe NZMGO.exe File created C:\windows\SysWOW64\GDEL.exe.bat RIUZRR.exe File opened for modification C:\windows\SysWOW64\UEER.exe DECMQX.exe File opened for modification C:\windows\SysWOW64\QGCIPB.exe MYVICI.exe File created C:\windows\SysWOW64\HSHHG.exe SKYIZKU.exe File created C:\windows\SysWOW64\XRUWVMJ.exe.bat LJOW.exe File created C:\windows\SysWOW64\SYM.exe.bat MJBO.exe File created C:\windows\SysWOW64\NYGXXW.exe.bat PFDH.exe File created C:\windows\SysWOW64\NZMGO.exe VWI.exe File opened for modification C:\windows\SysWOW64\XRUWVMJ.exe LJOW.exe File created C:\windows\SysWOW64\XWMSNF.exe.bat NYGXXW.exe File created C:\windows\SysWOW64\BWSWLO.exe.bat CYGTYBP.exe File created C:\windows\SysWOW64\ZSCG.exe IIZQF.exe File created C:\windows\SysWOW64\SQQCDI.exe.bat FTQQBWB.exe File created C:\windows\SysWOW64\FJNYEC.exe AECIN.exe File created C:\windows\SysWOW64\UIGYXBA.exe.bat SKNEZM.exe File created C:\windows\SysWOW64\QGCIPB.exe MYVICI.exe File created C:\windows\SysWOW64\AAZQRNG.exe GMGADAR.exe File opened for modification C:\windows\SysWOW64\RBCFS.exe IBAA.exe File opened for modification C:\windows\SysWOW64\SMZ.exe SYM.exe File opened for modification C:\windows\SysWOW64\JOCCOOO.exe LVZ.exe File created C:\windows\SysWOW64\OVGT.exe.bat YFFBOQN.exe File created C:\windows\SysWOW64\EVLDAFK.exe HDB.exe File created C:\windows\SysWOW64\FBN.exe.bat EGJELZR.exe File created C:\windows\SysWOW64\UXTWX.exe XHGFQ.exe File opened for modification C:\windows\SysWOW64\KKW.exe GCTXA.exe File created C:\windows\SysWOW64\QSERSH.exe RVTWXUL.exe File created C:\windows\SysWOW64\QSERSH.exe.bat RVTWXUL.exe File opened for modification C:\windows\SysWOW64\IOLJY.exe ZRYPQ.exe File opened for modification C:\windows\SysWOW64\EVLDAFK.exe HDB.exe File created C:\windows\SysWOW64\QWGPNGK.exe HWEK.exe File created C:\windows\SysWOW64\SKNOQYC.exe ZHJ.exe File opened for modification C:\windows\SysWOW64\SKNOQYC.exe ZHJ.exe File opened for modification C:\windows\SysWOW64\JCMLFYV.exe LCFY.exe File created C:\windows\SysWOW64\HSHHG.exe.bat SKYIZKU.exe File created C:\windows\SysWOW64\GCTXA.exe LWHTPOV.exe File created C:\windows\SysWOW64\KUJQK.exe.bat RBCFS.exe File created C:\windows\SysWOW64\SKNOQYC.exe.bat ZHJ.exe File opened for modification C:\windows\SysWOW64\LZB.exe JBASKRC.exe File created C:\windows\SysWOW64\SKNEZM.exe KEAPON.exe File opened for modification C:\windows\SysWOW64\XWMSNF.exe NYGXXW.exe File opened for modification C:\windows\SysWOW64\RDFP.exe OPO.exe File created C:\windows\SysWOW64\WFRUKKA.exe ZFHRYF.exe File created C:\windows\SysWOW64\WFRUKKA.exe.bat ZFHRYF.exe File opened for modification C:\windows\SysWOW64\CPHI.exe LGTL.exe File created C:\windows\SysWOW64\RBCFS.exe.bat IBAA.exe File created C:\windows\SysWOW64\OXTP.exe NZMGO.exe File opened for modification C:\windows\SysWOW64\TBXB.exe JBV.exe File created C:\windows\SysWOW64\CYGTYBP.exe DOW.exe File opened for modification C:\windows\SysWOW64\GCTXA.exe LWHTPOV.exe File opened for modification C:\windows\SysWOW64\KUJQK.exe RBCFS.exe File opened for modification C:\windows\SysWOW64\QSERSH.exe RVTWXUL.exe File opened for modification C:\windows\SysWOW64\FWGC.exe CBP.exe File created C:\windows\SysWOW64\PFDH.exe ZXUQQV.exe File created C:\windows\SysWOW64\EVLDAFK.exe.bat HDB.exe File created C:\windows\SysWOW64\HXSZ.exe.bat ICAP.exe File created C:\windows\SysWOW64\NZMGO.exe.bat VWI.exe -
Drops file in Windows directory 64 IoCs
Processes:
FBN.exeDUX.exeDPAQ.exeNHIMZS.exeZHVMU.exePQMGB.exeYBU.exeUBBXX.exeLQSG.exeOFMKV.exeEJMIYHW.exeVFXR.exeZSCG.exeFQBXNA.exeQJRIWB.exeEAMX.exeDUXDAOR.exeILSEMYY.exeIUCMKHD.exeNNFZXAD.exeHPGU.exeCCB.exePGMOQ.exeKPGX.exeAECYJT.exeOWPDSQ.exeIEUBRSJ.exeVHJ.exeOXTP.exeGDEL.exeIOLJY.exeQUZWSEY.exeDBNJ.exeLIWM.exeHSHHG.exePAU.exeBJJSCPL.exeVLEUR.exeJCMLFYV.exeXRUWVMJ.exePZFZ.exeBWSWLO.exeCOXR.exeTVAKD.exeUZFQFI.exeINXBLTG.exeCPJWXZ.exeNSIJ.exeXWMSNF.exeQBJX.exeAQDW.exeAWFBTJM.exeAAWVCOW.exeEVLDAFK.exeREL.exeMGQJMK.exeXPOXARJ.exedescription ioc process File created C:\windows\HWEK.exe.bat FBN.exe File created C:\windows\FSDAUQG.exe DUX.exe File created C:\windows\system\YCFZYD.exe DPAQ.exe File opened for modification C:\windows\QUZWSEY.exe NHIMZS.exe File created C:\windows\system\SKYIZKU.exe.bat ZHVMU.exe File created C:\windows\system\FQH.exe.bat PQMGB.exe File created C:\windows\YWYH.exe.bat YBU.exe File opened for modification C:\windows\system\IYBJ.exe UBBXX.exe File opened for modification C:\windows\JBV.exe LQSG.exe File created C:\windows\system\QIWRN.exe OFMKV.exe File created C:\windows\system\KXMJD.exe EJMIYHW.exe File created C:\windows\system\NSIJ.exe.bat VFXR.exe File opened for modification C:\windows\system\AWFBTJM.exe ZSCG.exe File created C:\windows\system\QJRIWB.exe.bat FQBXNA.exe File opened for modification C:\windows\VJSSA.exe QJRIWB.exe File created C:\windows\JBASKRC.exe.bat EAMX.exe File created C:\windows\YFFBOQN.exe.bat DUXDAOR.exe File created C:\windows\GWUU.exe.bat ILSEMYY.exe File opened for modification C:\windows\OPO.exe IUCMKHD.exe File opened for modification C:\windows\system\BJJSCPL.exe NNFZXAD.exe File created C:\windows\system\WFHMAAL.exe HPGU.exe File created C:\windows\OFMKV.exe CCB.exe File created C:\windows\system\FWZFY.exe PGMOQ.exe File opened for modification C:\windows\BZJ.exe KPGX.exe File opened for modification C:\windows\system\QUDY.exe AECYJT.exe File created C:\windows\PZFZ.exe.bat OWPDSQ.exe File created C:\windows\JGKXF.exe.bat IEUBRSJ.exe File created C:\windows\system\DNW.exe.bat VHJ.exe File opened for modification C:\windows\system\LVZ.exe OXTP.exe File created C:\windows\QBJX.exe GDEL.exe File created C:\windows\CHTUH.exe.bat IOLJY.exe File created C:\windows\QUZWSEY.exe NHIMZS.exe File created C:\windows\HDB.exe.bat QUZWSEY.exe File created C:\windows\SRO.exe DBNJ.exe File created C:\windows\system\AWFBTJM.exe ZSCG.exe File opened for modification C:\windows\EAMX.exe LIWM.exe File created C:\windows\system\PGMOQ.exe HSHHG.exe File opened for modification C:\windows\system\UBBXX.exe PAU.exe File created C:\windows\KWTKS.exe.bat BJJSCPL.exe File created C:\windows\ZTL.exe.bat VLEUR.exe File created C:\windows\system\VFXR.exe JCMLFYV.exe File created C:\windows\SMLFOYR.exe.bat XRUWVMJ.exe File opened for modification C:\windows\system\CCB.exe PZFZ.exe File created C:\windows\ZHVMU.exe BWSWLO.exe File created C:\windows\XKCBQP.exe.bat COXR.exe File created C:\windows\SODA.exe TVAKD.exe File created C:\windows\EXTK.exe UZFQFI.exe File opened for modification C:\windows\system\FTQQBWB.exe INXBLTG.exe File created C:\windows\PAU.exe.bat CPJWXZ.exe File opened for modification C:\windows\XLR.exe NSIJ.exe File opened for modification C:\windows\JGKXF.exe IEUBRSJ.exe File created C:\windows\VJSSA.exe QJRIWB.exe File created C:\windows\system\BES.exe.bat XWMSNF.exe File opened for modification C:\windows\system\SZXSYU.exe QBJX.exe File opened for modification C:\windows\PZFZ.exe OWPDSQ.exe File opened for modification C:\windows\ZHVMU.exe BWSWLO.exe File created C:\windows\system\EGJELZR.exe AQDW.exe File created C:\windows\system\PRP.exe.bat AWFBTJM.exe File created C:\windows\VLEUR.exe.bat AAWVCOW.exe File created C:\windows\ILSEMYY.exe EVLDAFK.exe File created C:\windows\KEAPON.exe REL.exe File opened for modification C:\windows\FHXCVL.exe MGQJMK.exe File opened for modification C:\windows\system\FWZFY.exe PGMOQ.exe File opened for modification C:\windows\ZFHRYF.exe XPOXARJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3756 468 WerFault.exe 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe 3584 5092 WerFault.exe AKGRMX.exe 2176 4092 WerFault.exe PQMGB.exe 1560 1564 WerFault.exe FQH.exe 1372 3592 WerFault.exe SBLZPKE.exe 3484 4380 WerFault.exe FETQDNA.exe 912 1680 WerFault.exe IUCMKHD.exe 3392 688 WerFault.exe OPO.exe 1960 1088 WerFault.exe RDFP.exe 4260 4444 WerFault.exe KQE.exe 4504 2448 WerFault.exe YBU.exe 4500 4916 WerFault.exe YWYH.exe 4520 516 WerFault.exe XPOXARJ.exe 1504 4360 WerFault.exe ZFHRYF.exe 3628 316 WerFault.exe WFRUKKA.exe 2980 1596 WerFault.exe NNFZXAD.exe 4888 4864 WerFault.exe BJJSCPL.exe 3300 4808 WerFault.exe KWTKS.exe 1820 1560 WerFault.exe EJMIYHW.exe 1504 3820 WerFault.exe KXMJD.exe 2936 1704 WerFault.exe SKQQO.exe 2448 316 WerFault.exe AQDW.exe 3128 2944 WerFault.exe EGJELZR.exe 2528 3516 WerFault.exe FBN.exe 4224 4144 WerFault.exe HWEK.exe 1388 1044 WerFault.exe QWGPNGK.exe 4092 2496 WerFault.exe ZKLVYEF.exe 3620 3192 WerFault.exe IIZQF.exe 5052 4084 WerFault.exe ZSCG.exe 2588 3264 WerFault.exe AWFBTJM.exe 3132 4008 WerFault.exe PRP.exe 2168 4360 WerFault.exe COXR.exe 1100 1500 WerFault.exe XKCBQP.exe 2448 3388 WerFault.exe FPGPB.exe 1900 2560 WerFault.exe LPODS.exe 4380 892 WerFault.exe TVAKD.exe 1388 2552 WerFault.exe SODA.exe 4732 2232 WerFault.exe LGTL.exe 1460 3788 WerFault.exe CPHI.exe 3124 4064 WerFault.exe ZHJ.exe 1772 4496 WerFault.exe SKNOQYC.exe 4924 2420 WerFault.exe QVYEZM.exe 3804 2296 WerFault.exe FQBXNA.exe 3724 4328 WerFault.exe QJRIWB.exe 4360 4812 WerFault.exe VJSSA.exe 1472 2336 WerFault.exe XHGFQ.exe 4224 1460 WerFault.exe UXTWX.exe 4664 2672 WerFault.exe LIWM.exe 4828 4616 WerFault.exe EAMX.exe 1388 2884 WerFault.exe JBASKRC.exe 4040 3640 WerFault.exe LZB.exe 228 4760 WerFault.exe LCFY.exe 1384 4648 WerFault.exe JCMLFYV.exe 4532 2624 WerFault.exe VFXR.exe 412 912 WerFault.exe NSIJ.exe 804 1604 WerFault.exe XLR.exe 4452 4268 WerFault.exe IEUBRSJ.exe 4260 2176 WerFault.exe JGKXF.exe 324 2476 WerFault.exe UZFQFI.exe 4528 4164 WerFault.exe EXTK.exe 956 3052 WerFault.exe RVTWXUL.exe 3848 4744 WerFault.exe QSERSH.exe 3028 2228 WerFault.exe PDPHS.exe 4952 1752 WerFault.exe CBP.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exeAKGRMX.exePQMGB.exeFQH.exeSBLZPKE.exeFETQDNA.exeIUCMKHD.exeOPO.exeRDFP.exeKQE.exeYBU.exeYWYH.exeXPOXARJ.exeZFHRYF.exeWFRUKKA.exeNNFZXAD.exeBJJSCPL.exeKWTKS.exeEJMIYHW.exeKXMJD.exeAQDW.exeEGJELZR.exeFBN.exeHWEK.exeQWGPNGK.exeZKLVYEF.exeIIZQF.exeZSCG.exeAWFBTJM.exePRP.exeCOXR.exeXKCBQP.exepid process 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe 5092 AKGRMX.exe 5092 AKGRMX.exe 4092 PQMGB.exe 4092 PQMGB.exe 1564 FQH.exe 1564 FQH.exe 3592 SBLZPKE.exe 3592 SBLZPKE.exe 4380 FETQDNA.exe 4380 FETQDNA.exe 1680 IUCMKHD.exe 1680 IUCMKHD.exe 688 OPO.exe 688 OPO.exe 1088 RDFP.exe 1088 RDFP.exe 4444 KQE.exe 4444 KQE.exe 2448 YBU.exe 2448 YBU.exe 4916 YWYH.exe 4916 YWYH.exe 516 XPOXARJ.exe 516 XPOXARJ.exe 4360 ZFHRYF.exe 4360 ZFHRYF.exe 316 WFRUKKA.exe 316 WFRUKKA.exe 1596 NNFZXAD.exe 1596 NNFZXAD.exe 4864 BJJSCPL.exe 4864 BJJSCPL.exe 4808 KWTKS.exe 4808 KWTKS.exe 1560 EJMIYHW.exe 1560 EJMIYHW.exe 3820 KXMJD.exe 3820 KXMJD.exe 316 AQDW.exe 316 AQDW.exe 2944 EGJELZR.exe 2944 EGJELZR.exe 3516 FBN.exe 3516 FBN.exe 4144 HWEK.exe 4144 HWEK.exe 1044 QWGPNGK.exe 1044 QWGPNGK.exe 2496 ZKLVYEF.exe 2496 ZKLVYEF.exe 3192 IIZQF.exe 3192 IIZQF.exe 4084 ZSCG.exe 4084 ZSCG.exe 3264 AWFBTJM.exe 3264 AWFBTJM.exe 4008 PRP.exe 4008 PRP.exe 4360 COXR.exe 4360 COXR.exe 1500 XKCBQP.exe 1500 XKCBQP.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exeAKGRMX.exePQMGB.exeFQH.exeSBLZPKE.exeFETQDNA.exeIUCMKHD.exeOPO.exeRDFP.exeKQE.exeYBU.exeYWYH.exeXPOXARJ.exeZFHRYF.exeWFRUKKA.exeNNFZXAD.exeBJJSCPL.exeKWTKS.exeEJMIYHW.exeKXMJD.exeAQDW.exeEGJELZR.exeFBN.exeHWEK.exeQWGPNGK.exeZKLVYEF.exeIIZQF.exeZSCG.exeAWFBTJM.exePRP.exeCOXR.exeXKCBQP.exepid process 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe 5092 AKGRMX.exe 5092 AKGRMX.exe 4092 PQMGB.exe 4092 PQMGB.exe 1564 FQH.exe 1564 FQH.exe 3592 SBLZPKE.exe 3592 SBLZPKE.exe 4380 FETQDNA.exe 4380 FETQDNA.exe 1680 IUCMKHD.exe 1680 IUCMKHD.exe 688 OPO.exe 688 OPO.exe 1088 RDFP.exe 1088 RDFP.exe 4444 KQE.exe 4444 KQE.exe 2448 YBU.exe 2448 YBU.exe 4916 YWYH.exe 4916 YWYH.exe 516 XPOXARJ.exe 516 XPOXARJ.exe 4360 ZFHRYF.exe 4360 ZFHRYF.exe 316 WFRUKKA.exe 316 WFRUKKA.exe 1596 NNFZXAD.exe 1596 NNFZXAD.exe 4864 BJJSCPL.exe 4864 BJJSCPL.exe 4808 KWTKS.exe 4808 KWTKS.exe 1560 EJMIYHW.exe 1560 EJMIYHW.exe 3820 KXMJD.exe 3820 KXMJD.exe 316 AQDW.exe 316 AQDW.exe 2944 EGJELZR.exe 2944 EGJELZR.exe 3516 FBN.exe 3516 FBN.exe 4144 HWEK.exe 4144 HWEK.exe 1044 QWGPNGK.exe 1044 QWGPNGK.exe 2496 ZKLVYEF.exe 2496 ZKLVYEF.exe 3192 IIZQF.exe 3192 IIZQF.exe 4084 ZSCG.exe 4084 ZSCG.exe 3264 AWFBTJM.exe 3264 AWFBTJM.exe 4008 PRP.exe 4008 PRP.exe 4360 COXR.exe 4360 COXR.exe 1500 XKCBQP.exe 1500 XKCBQP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6e3060e0283732ab49c445ab40128470_NeikiAnalytics.execmd.exeAKGRMX.execmd.exePQMGB.execmd.exeFQH.execmd.exeSBLZPKE.execmd.exeFETQDNA.execmd.exeIUCMKHD.execmd.exeOPO.execmd.exeRDFP.execmd.exeKQE.execmd.exeYBU.execmd.exedescription pid process target process PID 468 wrote to memory of 1204 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe cmd.exe PID 468 wrote to memory of 1204 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe cmd.exe PID 468 wrote to memory of 1204 468 6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe cmd.exe PID 1204 wrote to memory of 5092 1204 cmd.exe AKGRMX.exe PID 1204 wrote to memory of 5092 1204 cmd.exe AKGRMX.exe PID 1204 wrote to memory of 5092 1204 cmd.exe AKGRMX.exe PID 5092 wrote to memory of 4780 5092 AKGRMX.exe cmd.exe PID 5092 wrote to memory of 4780 5092 AKGRMX.exe cmd.exe PID 5092 wrote to memory of 4780 5092 AKGRMX.exe cmd.exe PID 4780 wrote to memory of 4092 4780 cmd.exe PQMGB.exe PID 4780 wrote to memory of 4092 4780 cmd.exe PQMGB.exe PID 4780 wrote to memory of 4092 4780 cmd.exe PQMGB.exe PID 4092 wrote to memory of 2368 4092 PQMGB.exe cmd.exe PID 4092 wrote to memory of 2368 4092 PQMGB.exe cmd.exe PID 4092 wrote to memory of 2368 4092 PQMGB.exe cmd.exe PID 2368 wrote to memory of 1564 2368 cmd.exe FQH.exe PID 2368 wrote to memory of 1564 2368 cmd.exe FQH.exe PID 2368 wrote to memory of 1564 2368 cmd.exe FQH.exe PID 1564 wrote to memory of 2216 1564 FQH.exe cmd.exe PID 1564 wrote to memory of 2216 1564 FQH.exe cmd.exe PID 1564 wrote to memory of 2216 1564 FQH.exe cmd.exe PID 2216 wrote to memory of 3592 2216 cmd.exe SBLZPKE.exe PID 2216 wrote to memory of 3592 2216 cmd.exe SBLZPKE.exe PID 2216 wrote to memory of 3592 2216 cmd.exe SBLZPKE.exe PID 3592 wrote to memory of 1428 3592 SBLZPKE.exe cmd.exe PID 3592 wrote to memory of 1428 3592 SBLZPKE.exe cmd.exe PID 3592 wrote to memory of 1428 3592 SBLZPKE.exe cmd.exe PID 1428 wrote to memory of 4380 1428 cmd.exe FETQDNA.exe PID 1428 wrote to memory of 4380 1428 cmd.exe FETQDNA.exe PID 1428 wrote to memory of 4380 1428 cmd.exe FETQDNA.exe PID 4380 wrote to memory of 3820 4380 FETQDNA.exe cmd.exe PID 4380 wrote to memory of 3820 4380 FETQDNA.exe cmd.exe PID 4380 wrote to memory of 3820 4380 FETQDNA.exe cmd.exe PID 3820 wrote to memory of 1680 3820 cmd.exe IUCMKHD.exe PID 3820 wrote to memory of 1680 3820 cmd.exe IUCMKHD.exe PID 3820 wrote to memory of 1680 3820 cmd.exe IUCMKHD.exe PID 1680 wrote to memory of 3696 1680 IUCMKHD.exe cmd.exe PID 1680 wrote to memory of 3696 1680 IUCMKHD.exe cmd.exe PID 1680 wrote to memory of 3696 1680 IUCMKHD.exe cmd.exe PID 3696 wrote to memory of 688 3696 cmd.exe OPO.exe PID 3696 wrote to memory of 688 3696 cmd.exe OPO.exe PID 3696 wrote to memory of 688 3696 cmd.exe OPO.exe PID 688 wrote to memory of 1772 688 OPO.exe cmd.exe PID 688 wrote to memory of 1772 688 OPO.exe cmd.exe PID 688 wrote to memory of 1772 688 OPO.exe cmd.exe PID 1772 wrote to memory of 1088 1772 cmd.exe RDFP.exe PID 1772 wrote to memory of 1088 1772 cmd.exe RDFP.exe PID 1772 wrote to memory of 1088 1772 cmd.exe RDFP.exe PID 1088 wrote to memory of 2612 1088 RDFP.exe cmd.exe PID 1088 wrote to memory of 2612 1088 RDFP.exe cmd.exe PID 1088 wrote to memory of 2612 1088 RDFP.exe cmd.exe PID 2612 wrote to memory of 4444 2612 cmd.exe KQE.exe PID 2612 wrote to memory of 4444 2612 cmd.exe KQE.exe PID 2612 wrote to memory of 4444 2612 cmd.exe KQE.exe PID 4444 wrote to memory of 5092 4444 KQE.exe cmd.exe PID 4444 wrote to memory of 5092 4444 KQE.exe cmd.exe PID 4444 wrote to memory of 5092 4444 KQE.exe cmd.exe PID 5092 wrote to memory of 2448 5092 cmd.exe YBU.exe PID 5092 wrote to memory of 2448 5092 cmd.exe YBU.exe PID 5092 wrote to memory of 2448 5092 cmd.exe YBU.exe PID 2448 wrote to memory of 4960 2448 YBU.exe cmd.exe PID 2448 wrote to memory of 4960 2448 YBU.exe cmd.exe PID 2448 wrote to memory of 4960 2448 YBU.exe cmd.exe PID 4960 wrote to memory of 4916 4960 cmd.exe YWYH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6e3060e0283732ab49c445ab40128470_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AKGRMX.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\windows\AKGRMX.exeC:\windows\AKGRMX.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PQMGB.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\windows\system\PQMGB.exeC:\windows\system\PQMGB.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FQH.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\windows\system\FQH.exeC:\windows\system\FQH.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SBLZPKE.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\windows\SysWOW64\SBLZPKE.exeC:\windows\system32\SBLZPKE.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FETQDNA.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\windows\system\FETQDNA.exeC:\windows\system\FETQDNA.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IUCMKHD.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\windows\IUCMKHD.exeC:\windows\IUCMKHD.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OPO.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\windows\OPO.exeC:\windows\OPO.exe15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RDFP.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\windows\SysWOW64\RDFP.exeC:\windows\system32\RDFP.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KQE.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\windows\SysWOW64\KQE.exeC:\windows\system32\KQE.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YBU.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\windows\SysWOW64\YBU.exeC:\windows\system32\YBU.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YWYH.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\windows\YWYH.exeC:\windows\YWYH.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XPOXARJ.exe.bat" "24⤵PID:4468
-
C:\windows\XPOXARJ.exeC:\windows\XPOXARJ.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZFHRYF.exe.bat" "26⤵PID:3364
-
C:\windows\ZFHRYF.exeC:\windows\ZFHRYF.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WFRUKKA.exe.bat" "28⤵PID:2588
-
C:\windows\SysWOW64\WFRUKKA.exeC:\windows\system32\WFRUKKA.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NNFZXAD.exe.bat" "30⤵PID:1720
-
C:\windows\SysWOW64\NNFZXAD.exeC:\windows\system32\NNFZXAD.exe31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BJJSCPL.exe.bat" "32⤵PID:1460
-
C:\windows\system\BJJSCPL.exeC:\windows\system\BJJSCPL.exe33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KWTKS.exe.bat" "34⤵PID:1508
-
C:\windows\KWTKS.exeC:\windows\KWTKS.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EJMIYHW.exe.bat" "36⤵PID:4076
-
C:\windows\EJMIYHW.exeC:\windows\EJMIYHW.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KXMJD.exe.bat" "38⤵PID:1232
-
C:\windows\system\KXMJD.exeC:\windows\system\KXMJD.exe39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SKQQO.exe.bat" "40⤵PID:376
-
C:\windows\system\SKQQO.exeC:\windows\system\SKQQO.exe41⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AQDW.exe.bat" "42⤵PID:4548
-
C:\windows\AQDW.exeC:\windows\AQDW.exe43⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "44⤵PID:3724
-
C:\windows\system\EGJELZR.exeC:\windows\system\EGJELZR.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FBN.exe.bat" "46⤵PID:832
-
C:\windows\SysWOW64\FBN.exeC:\windows\system32\FBN.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HWEK.exe.bat" "48⤵PID:5084
-
C:\windows\HWEK.exeC:\windows\HWEK.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QWGPNGK.exe.bat" "50⤵PID:1260
-
C:\windows\SysWOW64\QWGPNGK.exeC:\windows\system32\QWGPNGK.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZKLVYEF.exe.bat" "52⤵PID:1864
-
C:\windows\ZKLVYEF.exeC:\windows\ZKLVYEF.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IIZQF.exe.bat" "54⤵PID:4780
-
C:\windows\system\IIZQF.exeC:\windows\system\IIZQF.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSCG.exe.bat" "56⤵PID:2916
-
C:\windows\SysWOW64\ZSCG.exeC:\windows\system32\ZSCG.exe57⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AWFBTJM.exe.bat" "58⤵PID:3972
-
C:\windows\system\AWFBTJM.exeC:\windows\system\AWFBTJM.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PRP.exe.bat" "60⤵PID:2944
-
C:\windows\system\PRP.exeC:\windows\system\PRP.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\COXR.exe.bat" "62⤵PID:3484
-
C:\windows\SysWOW64\COXR.exeC:\windows\system32\COXR.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XKCBQP.exe.bat" "64⤵PID:4340
-
C:\windows\XKCBQP.exeC:\windows\XKCBQP.exe65⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPGPB.exe.bat" "66⤵PID:4964
-
C:\windows\FPGPB.exeC:\windows\FPGPB.exe67⤵
- Checks computer location settings
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LPODS.exe.bat" "68⤵PID:4168
-
C:\windows\LPODS.exeC:\windows\LPODS.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TVAKD.exe.bat" "70⤵PID:400
-
C:\windows\TVAKD.exeC:\windows\TVAKD.exe71⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SODA.exe.bat" "72⤵PID:4944
-
C:\windows\SODA.exeC:\windows\SODA.exe73⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGTL.exe.bat" "74⤵PID:5108
-
C:\windows\system\LGTL.exeC:\windows\system\LGTL.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPHI.exe.bat" "76⤵PID:940
-
C:\windows\SysWOW64\CPHI.exeC:\windows\system32\CPHI.exe77⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZHJ.exe.bat" "78⤵PID:3400
-
C:\windows\ZHJ.exeC:\windows\ZHJ.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNOQYC.exe.bat" "80⤵PID:3880
-
C:\windows\SysWOW64\SKNOQYC.exeC:\windows\system32\SKNOQYC.exe81⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QVYEZM.exe.bat" "82⤵PID:516
-
C:\windows\system\QVYEZM.exeC:\windows\system\QVYEZM.exe83⤵
- Checks computer location settings
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FQBXNA.exe.bat" "84⤵PID:1208
-
C:\windows\system\FQBXNA.exeC:\windows\system\FQBXNA.exe85⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QJRIWB.exe.bat" "86⤵PID:3264
-
C:\windows\system\QJRIWB.exeC:\windows\system\QJRIWB.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VJSSA.exe.bat" "88⤵PID:808
-
C:\windows\VJSSA.exeC:\windows\VJSSA.exe89⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XHGFQ.exe.bat" "90⤵PID:1964
-
C:\windows\system\XHGFQ.exeC:\windows\system\XHGFQ.exe91⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UXTWX.exe.bat" "92⤵PID:2956
-
C:\windows\SysWOW64\UXTWX.exeC:\windows\system32\UXTWX.exe93⤵
- Checks computer location settings
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LIWM.exe.bat" "94⤵PID:3556
-
C:\windows\LIWM.exeC:\windows\LIWM.exe95⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EAMX.exe.bat" "96⤵PID:1992
-
C:\windows\EAMX.exeC:\windows\EAMX.exe97⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JBASKRC.exe.bat" "98⤵PID:892
-
C:\windows\JBASKRC.exeC:\windows\JBASKRC.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LZB.exe.bat" "100⤵PID:4420
-
C:\windows\SysWOW64\LZB.exeC:\windows\system32\LZB.exe101⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LCFY.exe.bat" "102⤵PID:4548
-
C:\windows\LCFY.exeC:\windows\LCFY.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JCMLFYV.exe.bat" "104⤵PID:2808
-
C:\windows\SysWOW64\JCMLFYV.exeC:\windows\system32\JCMLFYV.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VFXR.exe.bat" "106⤵PID:4480
-
C:\windows\system\VFXR.exeC:\windows\system\VFXR.exe107⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NSIJ.exe.bat" "108⤵PID:3912
-
C:\windows\system\NSIJ.exeC:\windows\system\NSIJ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XLR.exe.bat" "110⤵PID:2560
-
C:\windows\XLR.exeC:\windows\XLR.exe111⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEUBRSJ.exe.bat" "112⤵PID:3244
-
C:\windows\SysWOW64\IEUBRSJ.exeC:\windows\system32\IEUBRSJ.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JGKXF.exe.bat" "114⤵PID:1632
-
C:\windows\JGKXF.exeC:\windows\JGKXF.exe115⤵
- Checks computer location settings
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UZFQFI.exe.bat" "116⤵PID:808
-
C:\windows\SysWOW64\UZFQFI.exeC:\windows\system32\UZFQFI.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EXTK.exe.bat" "118⤵PID:1964
-
C:\windows\EXTK.exeC:\windows\EXTK.exe119⤵
- Checks computer location settings
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RVTWXUL.exe.bat" "120⤵PID:3696
-
C:\windows\RVTWXUL.exeC:\windows\RVTWXUL.exe121⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QSERSH.exe.bat" "122⤵PID:3024
-
C:\windows\SysWOW64\QSERSH.exeC:\windows\system32\QSERSH.exe123⤵
- Checks computer location settings
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PDPHS.exe.bat" "124⤵PID:4244
-
C:\windows\SysWOW64\PDPHS.exeC:\windows\system32\PDPHS.exe125⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CBP.exe.bat" "126⤵PID:4504
-
C:\windows\SysWOW64\CBP.exeC:\windows\system32\CBP.exe127⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FWGC.exe.bat" "128⤵PID:4664
-
C:\windows\SysWOW64\FWGC.exeC:\windows\system32\FWGC.exe129⤵
- Checks computer location settings
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VHJ.exe.bat" "130⤵PID:4424
-
C:\windows\system\VHJ.exeC:\windows\system\VHJ.exe131⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DNW.exe.bat" "132⤵PID:3256
-
C:\windows\system\DNW.exeC:\windows\system\DNW.exe133⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\INXBLTG.exe.bat" "134⤵PID:3696
-
C:\windows\SysWOW64\INXBLTG.exeC:\windows\system32\INXBLTG.exe135⤵
- Drops file in Windows directory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FTQQBWB.exe.bat" "136⤵PID:4720
-
C:\windows\system\FTQQBWB.exeC:\windows\system\FTQQBWB.exe137⤵
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SQQCDI.exe.bat" "138⤵PID:956
-
C:\windows\SysWOW64\SQQCDI.exeC:\windows\system32\SQQCDI.exe139⤵
- Checks computer location settings
PID:4244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AECIN.exe.bat" "140⤵PID:2008
-
C:\windows\system\AECIN.exeC:\windows\system\AECIN.exe141⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FJNYEC.exe.bat" "142⤵PID:3028
-
C:\windows\SysWOW64\FJNYEC.exeC:\windows\system32\FJNYEC.exe143⤵
- Checks computer location settings
PID:3268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DUX.exe.bat" "144⤵PID:4420
-
C:\windows\SysWOW64\DUX.exeC:\windows\system32\DUX.exe145⤵
- Drops file in Windows directory
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FSDAUQG.exe.bat" "146⤵PID:2448
-
C:\windows\FSDAUQG.exeC:\windows\FSDAUQG.exe147⤵
- Checks computer location settings
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WAYMK.exe.bat" "148⤵PID:4760
-
C:\windows\system\WAYMK.exeC:\windows\system\WAYMK.exe149⤵
- Checks computer location settings
PID:4732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HTBFT.exe.bat" "150⤵PID:3756
-
C:\windows\SysWOW64\HTBFT.exeC:\windows\system32\HTBFT.exe151⤵
- Checks computer location settings
PID:4844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\REL.exe.bat" "152⤵PID:2312
-
C:\windows\system\REL.exeC:\windows\system\REL.exe153⤵
- Drops file in Windows directory
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KEAPON.exe.bat" "154⤵PID:376
-
C:\windows\KEAPON.exeC:\windows\KEAPON.exe155⤵
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SKNEZM.exe.bat" "156⤵PID:3028
-
C:\windows\SysWOW64\SKNEZM.exeC:\windows\system32\SKNEZM.exe157⤵
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UIGYXBA.exe.bat" "158⤵PID:4040
-
C:\windows\SysWOW64\UIGYXBA.exeC:\windows\system32\UIGYXBA.exe159⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BSVGP.exe.bat" "160⤵PID:3820
-
C:\windows\SysWOW64\BSVGP.exeC:\windows\system32\BSVGP.exe161⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UVZKUQ.exe.bat" "162⤵PID:2944
-
C:\windows\UVZKUQ.exeC:\windows\UVZKUQ.exe163⤵
- Checks computer location settings
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YDGKHI.exe.bat" "164⤵PID:4400
-
C:\windows\SysWOW64\YDGKHI.exeC:\windows\system32\YDGKHI.exe165⤵
- Checks computer location settings
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "166⤵PID:3164
-
C:\windows\SysWOW64\LJOW.exeC:\windows\system32\LJOW.exe167⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XRUWVMJ.exe.bat" "168⤵PID:224
-
C:\windows\SysWOW64\XRUWVMJ.exeC:\windows\system32\XRUWVMJ.exe169⤵
- Drops file in Windows directory
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SMLFOYR.exe.bat" "170⤵PID:3520
-
C:\windows\SMLFOYR.exeC:\windows\SMLFOYR.exe171⤵
- Checks computer location settings
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XFNISC.exe.bat" "172⤵PID:4352
-
C:\windows\system\XFNISC.exeC:\windows\system\XFNISC.exe173⤵PID:3180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AVUI.exe.bat" "174⤵PID:1012
-
C:\windows\AVUI.exeC:\windows\AVUI.exe175⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MJBO.exe.bat" "176⤵PID:4548
-
C:\windows\SysWOW64\MJBO.exeC:\windows\system32\MJBO.exe177⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SYM.exe.bat" "178⤵PID:3824
-
C:\windows\SysWOW64\SYM.exeC:\windows\system32\SYM.exe179⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SMZ.exe.bat" "180⤵PID:1232
-
C:\windows\SysWOW64\SMZ.exeC:\windows\system32\SMZ.exe181⤵PID:4944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ICAP.exe.bat" "182⤵PID:2828
-
C:\windows\system\ICAP.exeC:\windows\system\ICAP.exe183⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HXSZ.exe.bat" "184⤵PID:1460
-
C:\windows\SysWOW64\HXSZ.exeC:\windows\system32\HXSZ.exe185⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\AAWVCOW.exe.bat" "186⤵PID:628
-
C:\windows\SysWOW64\AAWVCOW.exeC:\windows\system32\AAWVCOW.exe187⤵
- Drops file in Windows directory
PID:1116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLEUR.exe.bat" "188⤵PID:1100
-
C:\windows\VLEUR.exeC:\windows\VLEUR.exe189⤵
- Drops file in Windows directory
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZTL.exe.bat" "190⤵PID:4736
-
C:\windows\ZTL.exeC:\windows\ZTL.exe191⤵
- Checks computer location settings
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LGS.exe.bat" "192⤵PID:3340
-
C:\windows\system\LGS.exeC:\windows\system\LGS.exe193⤵PID:3640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KPGX.exe.bat" "194⤵PID:3044
-
C:\windows\KPGX.exeC:\windows\KPGX.exe195⤵
- Drops file in Windows directory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BZJ.exe.bat" "196⤵PID:832
-
C:\windows\BZJ.exeC:\windows\BZJ.exe197⤵
- Checks computer location settings
PID:4212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZXUQQV.exe.bat" "198⤵PID:4216
-
C:\windows\SysWOW64\ZXUQQV.exeC:\windows\system32\ZXUQQV.exe199⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PFDH.exe.bat" "200⤵PID:3264
-
C:\windows\SysWOW64\PFDH.exeC:\windows\system32\PFDH.exe201⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NYGXXW.exe.bat" "202⤵PID:3620
-
C:\windows\SysWOW64\NYGXXW.exeC:\windows\system32\NYGXXW.exe203⤵
- Checks computer location settings
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XWMSNF.exe.bat" "204⤵PID:4548
-
C:\windows\SysWOW64\XWMSNF.exeC:\windows\system32\XWMSNF.exe205⤵
- Checks computer location settings
- Drops file in Windows directory
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BES.exe.bat" "206⤵PID:3532
-
C:\windows\system\BES.exeC:\windows\system\BES.exe207⤵
- Checks computer location settings
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VWI.exe.bat" "208⤵PID:3284
-
C:\windows\system\VWI.exeC:\windows\system\VWI.exe209⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NZMGO.exe.bat" "210⤵PID:976
-
C:\windows\SysWOW64\NZMGO.exeC:\windows\system32\NZMGO.exe211⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OXTP.exe.bat" "212⤵PID:1600
-
C:\windows\SysWOW64\OXTP.exeC:\windows\system32\OXTP.exe213⤵
- Drops file in Windows directory
PID:3568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LVZ.exe.bat" "214⤵PID:400
-
C:\windows\system\LVZ.exeC:\windows\system\LVZ.exe215⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOCCOOO.exe.bat" "216⤵PID:3932
-
C:\windows\SysWOW64\JOCCOOO.exeC:\windows\system32\JOCCOOO.exe217⤵
- Checks computer location settings
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XRTTC.exe.bat" "218⤵PID:4876
-
C:\windows\XRTTC.exeC:\windows\XRTTC.exe219⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QRAEM.exe.bat" "220⤵PID:4796
-
C:\windows\SysWOW64\QRAEM.exeC:\windows\system32\QRAEM.exe221⤵
- Checks computer location settings
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DPAQ.exe.bat" "222⤵PID:2440
-
C:\windows\DPAQ.exeC:\windows\DPAQ.exe223⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YCFZYD.exe.bat" "224⤵PID:1688
-
C:\windows\system\YCFZYD.exeC:\windows\system\YCFZYD.exe225⤵PID:2940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZFJD.exe.bat" "226⤵PID:3384
-
C:\windows\SysWOW64\ZFJD.exeC:\windows\system32\ZFJD.exe227⤵PID:1120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RIUZRR.exe.bat" "228⤵PID:1632
-
C:\windows\system\RIUZRR.exeC:\windows\system\RIUZRR.exe229⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GDEL.exe.bat" "230⤵PID:760
-
C:\windows\SysWOW64\GDEL.exeC:\windows\system32\GDEL.exe231⤵
- Checks computer location settings
- Drops file in Windows directory
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\QBJX.exe.bat" "232⤵PID:5036
-
C:\windows\QBJX.exeC:\windows\QBJX.exe233⤵
- Drops file in Windows directory
PID:3932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SZXSYU.exe.bat" "234⤵PID:3032
-
C:\windows\system\SZXSYU.exeC:\windows\system\SZXSYU.exe235⤵
- Checks computer location settings
PID:1388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AECYJT.exe.bat" "236⤵PID:3644
-
C:\windows\AECYJT.exeC:\windows\AECYJT.exe237⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QUDY.exe.bat" "238⤵PID:928
-
C:\windows\system\QUDY.exeC:\windows\system\QUDY.exe239⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JNSJ.exe.bat" "240⤵PID:3168
-
C:\windows\JNSJ.exeC:\windows\JNSJ.exe241⤵PID:2916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LLYDHQU.exe.bat" "242⤵PID:2928