Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 00:40
Behavioral task
behavioral1
Sample
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
-
Size
448KB
-
MD5
6fa5b6efe1c0d617763be525ca9e1ae0
-
SHA1
8516bd6e9137c637b3c7f6557c7850afbb7294c8
-
SHA256
1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c
-
SHA512
178479b796ba9ddbed46f8b31da74064d9dfab74cce5eee2c42af66b381ac4319a228e7be666850d1732757c2430ebf94af5e6f59142f5c63b835fcea42d4901
-
SSDEEP
6144:KonNLIc1+9D9BA+pC95vvKAUOeTUF1em5sjR5jfaVPhpkEjiPISUOgW9X+hOGzCq:p+pC95vSALgUF1em5s1ukmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 20 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\UADSUM.exe family_berbew C:\Windows\CNQYXT.exe family_berbew C:\windows\VLXYQYR.exe family_berbew C:\windows\SysWOW64\NTMVCPM.exe family_berbew C:\windows\SysWOW64\VUUP.exe family_berbew C:\Windows\OUKA.exe family_berbew C:\Windows\PLSJD.exe family_berbew C:\Windows\SysWOW64\EAF.exe family_berbew C:\windows\RMQO.exe family_berbew C:\Windows\System\ZUTQT.exe family_berbew C:\Windows\System\TFIWM.exe family_berbew C:\Windows\SQSM.exe family_berbew C:\Windows\SysWOW64\YLEF.exe family_berbew C:\Windows\SysWOW64\GRJL.exe family_berbew C:\windows\AHGFE.exe family_berbew C:\windows\SysWOW64\CFLZ.exe family_berbew C:\windows\JYBIE.exe family_berbew C:\windows\system\EGJELZR.exe family_berbew C:\Windows\GTBGWLG.exe family_berbew C:\Windows\NMU.exe family_berbew -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exeUADSUM.exeDMGXJB.exeOXXC.exeVLXYQYR.exeOBDFK.exeXZHWEY.exeSSOSJOO.exeMBVD.exeSQSM.exeWGIHN.exeXGFRU.exeYIUCAZJ.exeUGC.exeECLOCB.exeYYWCZ.exeZUTQT.exeRBYCXYC.exeCXJX.exeVENOOXQ.exeIFDTBDQ.exeKYWPYFU.exeCPV.exePTXSJF.exeNKNGATG.exeOSGPF.exeGRJL.exeYMM.exeZSFT.exeIKAXFN.exeWEN.exePXXHW.exeRWEFHL.exePBJIE.exeZFUPCR.exeAMKJ.exeWKIFQPT.exeIXGTVE.exeZAHI.exeYEDRND.exeAOUVIEU.exeNQZSB.exeSZSCZY.exeSUDD.exeHLL.exeBMWO.exeCYLLZV.exeRMQO.exeIUBJSTW.exeRWCG.exeNBQ.exeKAQIGS.exeGHRN.exeCNQYXT.exeLRD.exeYPV.exeYOIM.exeNTMVCPM.exeBWRO.exeXONMRLN.exeUFRZBBD.exeBDNSMHS.exeMOAKCEQ.exeZYNPBT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation UADSUM.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation DMGXJB.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation OXXC.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation VLXYQYR.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation OBDFK.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XZHWEY.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SSOSJOO.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation MBVD.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SQSM.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WGIHN.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XGFRU.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YIUCAZJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation UGC.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ECLOCB.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YYWCZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ZUTQT.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation RBYCXYC.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation CXJX.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation VENOOXQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation IFDTBDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation KYWPYFU.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation CPV.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation PTXSJF.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation NKNGATG.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation OSGPF.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation GRJL.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YMM.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ZSFT.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation IKAXFN.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WEN.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation PXXHW.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation RWEFHL.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation PBJIE.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ZFUPCR.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation AMKJ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WKIFQPT.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation IXGTVE.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ZAHI.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YEDRND.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation AOUVIEU.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation NQZSB.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SZSCZY.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SUDD.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HLL.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation BMWO.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation CYLLZV.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation RMQO.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation IUBJSTW.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation RWCG.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation NBQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation KAQIGS.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation GHRN.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation CNQYXT.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation LRD.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YPV.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation YOIM.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation NTMVCPM.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation BWRO.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation XONMRLN.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation UFRZBBD.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation BDNSMHS.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation MOAKCEQ.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ZYNPBT.exe -
Executes dropped EXE 64 IoCs
Processes:
UADSUM.exeCNQYXT.exeVLXYQYR.exeNTMVCPM.exeVUUP.exeOUKA.exePLSJD.exeEAF.exeRMQO.exeOBDFK.exeZUTQT.exeTFIWM.exeSQSM.exeYLEF.exeGRJL.exeAHGFE.exeCFLZ.exeJYBIE.exeEGJELZR.exeGTBGWLG.exeNOMHKZO.exeNMU.exeCIYJS.exeNQRJNK.exeYII.exeCYPIE.exeIUBJSTW.exeAMKJ.exeRNZO.exeBVT.exeJTN.exeCORQL.exeBWRO.exeIRDPM.exePXKKSDQ.exeNQZSB.exeXONMRLN.exeRBYCXYC.exeRWCG.exeSZSCZY.exeANFJCW.exeBDNSMHS.exeJQRYXFN.exeRWEFHL.exeEBQJ.exeFEUMYZ.exePCUZ.exeXIZG.exeLOHRBKB.exeNBQ.exeLRD.exeYXLWMOI.exeJPTHVPQ.exeHFGZ.exePTTF.exeEBUXUQQ.exePBJIE.exeNRXZUYN.exeGUAD.exeGKIMJY.exeLQTBZU.exeMOAKCEQ.exeOLOWJMZ.exeAOZKSZU.exepid process 3572 UADSUM.exe 3900 CNQYXT.exe 2740 VLXYQYR.exe 2328 NTMVCPM.exe 3668 VUUP.exe 4352 OUKA.exe 4880 PLSJD.exe 1848 EAF.exe 3568 RMQO.exe 2964 OBDFK.exe 3132 ZUTQT.exe 368 TFIWM.exe 536 SQSM.exe 4516 YLEF.exe 4384 GRJL.exe 756 AHGFE.exe 4492 CFLZ.exe 3900 JYBIE.exe 2864 EGJELZR.exe 3200 GTBGWLG.exe 536 NOMHKZO.exe 4052 NMU.exe 2644 CIYJS.exe 1936 NQRJNK.exe 3040 YII.exe 5068 CYPIE.exe 4492 IUBJSTW.exe 3780 AMKJ.exe 1476 RNZO.exe 1444 BVT.exe 2120 JTN.exe 1012 CORQL.exe 4232 BWRO.exe 2364 IRDPM.exe 1036 PXKKSDQ.exe 4200 NQZSB.exe 3244 XONMRLN.exe 3708 RBYCXYC.exe 4272 RWCG.exe 1484 SZSCZY.exe 528 ANFJCW.exe 1864 BDNSMHS.exe 3304 JQRYXFN.exe 2132 RWEFHL.exe 4668 EBQJ.exe 5092 FEUMYZ.exe 4892 PCUZ.exe 3572 XIZG.exe 3152 LOHRBKB.exe 1484 NBQ.exe 528 LRD.exe 4364 YXLWMOI.exe 3320 JPTHVPQ.exe 2996 HFGZ.exe 5108 PTTF.exe 2968 EBUXUQQ.exe 4516 PBJIE.exe 532 NRXZUYN.exe 4512 GUAD.exe 3300 GKIMJY.exe 4988 LQTBZU.exe 4496 MOAKCEQ.exe 992 OLOWJMZ.exe 1988 AOZKSZU.exe -
Drops file in System32 directory 64 IoCs
Processes:
XJXWF.exeZYNPBT.exePLSJD.exeSQSM.exeAMKJ.exeMOAKCEQ.exeLJOW.exeECLOCB.exeNTMVCPM.exeLOHRBKB.exeWGIHN.exeEWG.exeGTBGWLG.exeUIN.exeHMSWMS.exeAOUVIEU.exeSZSCZY.exeIRF.exeZFUPCR.exeZAHI.exeDECMQX.exeNBQ.exeOSGPF.exeWDHS.exeUFRZBBD.exeXONMRLN.exeSIY.exeJTN.exeXVAJTN.exeGHRN.exeFZC.exeVLXYQYR.exeBDNSMHS.exePTTF.exeYPV.exeFOC.exeBUZ.exeAHGFE.exeTHN.exeYIUCAZJ.exeQIWRN.exeQUZWSEY.exeCGLMKWX.exedescription ioc process File opened for modification C:\windows\SysWOW64\ZSFT.exe XJXWF.exe File created C:\windows\SysWOW64\HMSWMS.exe ZYNPBT.exe File created C:\windows\SysWOW64\EAF.exe.bat PLSJD.exe File created C:\windows\SysWOW64\YLEF.exe SQSM.exe File created C:\windows\SysWOW64\RNZO.exe AMKJ.exe File opened for modification C:\windows\SysWOW64\OLOWJMZ.exe MOAKCEQ.exe File opened for modification C:\windows\SysWOW64\XZHWEY.exe LJOW.exe File opened for modification C:\windows\SysWOW64\HLL.exe ECLOCB.exe File opened for modification C:\windows\SysWOW64\VUUP.exe NTMVCPM.exe File opened for modification C:\windows\SysWOW64\NBQ.exe LOHRBKB.exe File created C:\windows\SysWOW64\ALB.exe.bat WGIHN.exe File created C:\windows\SysWOW64\HMSWMS.exe.bat ZYNPBT.exe File created C:\windows\SysWOW64\YPV.exe EWG.exe File created C:\windows\SysWOW64\NOMHKZO.exe.bat GTBGWLG.exe File created C:\windows\SysWOW64\EGTAAQ.exe.bat UIN.exe File created C:\windows\SysWOW64\ALB.exe WGIHN.exe File opened for modification C:\windows\SysWOW64\CWIM.exe HMSWMS.exe File created C:\windows\SysWOW64\XOV.exe.bat AOUVIEU.exe File created C:\windows\SysWOW64\ANFJCW.exe SZSCZY.exe File created C:\windows\SysWOW64\RZHISS.exe.bat IRF.exe File created C:\windows\SysWOW64\SIY.exe.bat ZFUPCR.exe File opened for modification C:\windows\SysWOW64\DRWIAO.exe ZAHI.exe File created C:\windows\SysWOW64\SUDD.exe.bat DECMQX.exe File created C:\windows\SysWOW64\LRD.exe.bat NBQ.exe File created C:\windows\SysWOW64\JNLYPEJ.exe.bat OSGPF.exe File opened for modification C:\windows\SysWOW64\CYLLZV.exe WDHS.exe File opened for modification C:\windows\SysWOW64\OSWI.exe UFRZBBD.exe File created C:\windows\SysWOW64\HLL.exe.bat ECLOCB.exe File created C:\windows\SysWOW64\VUUP.exe.bat NTMVCPM.exe File opened for modification C:\windows\SysWOW64\EAF.exe PLSJD.exe File opened for modification C:\windows\SysWOW64\RBYCXYC.exe XONMRLN.exe File created C:\windows\SysWOW64\ANCZSFR.exe SIY.exe File created C:\windows\SysWOW64\ANCZSFR.exe.bat SIY.exe File opened for modification C:\windows\SysWOW64\CORQL.exe JTN.exe File created C:\windows\SysWOW64\KYWPYFU.exe.bat XVAJTN.exe File opened for modification C:\windows\SysWOW64\UFRZBBD.exe GHRN.exe File created C:\windows\SysWOW64\OSWI.exe.bat UFRZBBD.exe File created C:\windows\SysWOW64\RCNPDGV.exe.bat FZC.exe File created C:\windows\SysWOW64\NTMVCPM.exe VLXYQYR.exe File created C:\windows\SysWOW64\JQRYXFN.exe BDNSMHS.exe File created C:\windows\SysWOW64\EBUXUQQ.exe PTTF.exe File opened for modification C:\windows\SysWOW64\PXXHW.exe YPV.exe File created C:\windows\SysWOW64\LJOW.exe.bat FOC.exe File created C:\windows\SysWOW64\IKAXFN.exe BUZ.exe File created C:\windows\SysWOW64\HLL.exe ECLOCB.exe File opened for modification C:\windows\SysWOW64\LJOW.exe FOC.exe File created C:\windows\SysWOW64\ZSFT.exe XJXWF.exe File created C:\windows\SysWOW64\CFLZ.exe.bat AHGFE.exe File created C:\windows\SysWOW64\BUZ.exe.bat THN.exe File created C:\windows\SysWOW64\DRWIAO.exe.bat ZAHI.exe File opened for modification C:\windows\SysWOW64\PTXSJF.exe YIUCAZJ.exe File created C:\windows\SysWOW64\XOV.exe AOUVIEU.exe File created C:\windows\SysWOW64\CFLZ.exe AHGFE.exe File created C:\windows\SysWOW64\NBQ.exe LOHRBKB.exe File created C:\windows\SysWOW64\UFRZBBD.exe.bat GHRN.exe File created C:\windows\SysWOW64\WDHS.exe QIWRN.exe File created C:\windows\SysWOW64\CYLLZV.exe WDHS.exe File created C:\windows\SysWOW64\NKNGATG.exe.bat QUZWSEY.exe File created C:\windows\SysWOW64\RNZO.exe.bat AMKJ.exe File created C:\windows\SysWOW64\ZSFT.exe.bat XJXWF.exe File opened for modification C:\windows\SysWOW64\ANCZSFR.exe SIY.exe File opened for modification C:\windows\SysWOW64\SUDD.exe DECMQX.exe File opened for modification C:\windows\SysWOW64\NKNGATG.exe QUZWSEY.exe File opened for modification C:\windows\SysWOW64\THN.exe CGLMKWX.exe -
Drops file in Windows directory 64 IoCs
Processes:
EBQJ.exeIKAXFN.exeOUKA.exeRWEFHL.exeEBUXUQQ.exeYYWCZ.exeNKNGATG.exeOBDFK.exeYXLWMOI.exeHFGZ.exeZEALHSJ.exeZUTQT.exeNMU.exeXZHWEY.exeZSFT.exeWKIFQPT.exeMBVD.exePKVD.exePXKKSDQ.exePBJIE.exeAOZKSZU.exeCXJX.exePBSLK.exeELN.exeBMWO.exeNQRJNK.exeJAZP.exeKFVF.exeUADSUM.exeJPTHVPQ.exeROKXHV.exeCYLLZV.exeUGC.exePCUZ.exeBUTBUY.exeANCZSFR.exeJNLYPEJ.exeRMQO.exeGKIMJY.exeKYWPYFU.exeIXGTVE.exeEAF.exeSFRSIW.exeOXXC.exeTFIWM.exeFEUMYZ.exeBPT.exeOLOWJMZ.exeCNQYXT.exeVUUP.exedescription ioc process File created C:\windows\system\FEUMYZ.exe.bat EBQJ.exe File created C:\windows\LYRHRGZ.exe.bat IKAXFN.exe File opened for modification C:\windows\PLSJD.exe OUKA.exe File created C:\windows\EBQJ.exe RWEFHL.exe File opened for modification C:\windows\PBJIE.exe EBUXUQQ.exe File created C:\windows\system\KMDA.exe YYWCZ.exe File created C:\windows\WTPTMQ.exe.bat NKNGATG.exe File created C:\windows\PLSJD.exe.bat OUKA.exe File created C:\windows\system\ZUTQT.exe OBDFK.exe File opened for modification C:\windows\system\JPTHVPQ.exe YXLWMOI.exe File created C:\windows\system\PTTF.exe HFGZ.exe File created C:\windows\QUZWSEY.exe ZEALHSJ.exe File created C:\windows\system\TFIWM.exe.bat ZUTQT.exe File created C:\windows\CIYJS.exe.bat NMU.exe File created C:\windows\DMGXJB.exe XZHWEY.exe File created C:\windows\BPT.exe.bat ZSFT.exe File opened for modification C:\windows\INST.exe WKIFQPT.exe File created C:\windows\system\SWZEK.exe.bat MBVD.exe File created C:\windows\system\IXGTVE.exe PKVD.exe File created C:\windows\system\NQZSB.exe.bat PXKKSDQ.exe File created C:\windows\PBJIE.exe EBUXUQQ.exe File opened for modification C:\windows\NRXZUYN.exe PBJIE.exe File created C:\windows\system\RXFP.exe AOZKSZU.exe File opened for modification C:\windows\ROKXHV.exe CXJX.exe File opened for modification C:\windows\system\XGFRU.exe PBSLK.exe File opened for modification C:\windows\QUZWSEY.exe ZEALHSJ.exe File opened for modification C:\windows\system\DECMQX.exe ELN.exe File opened for modification C:\windows\system\ECLOCB.exe BMWO.exe File created C:\windows\system\YII.exe.bat NQRJNK.exe File created C:\windows\NRXZUYN.exe PBJIE.exe File created C:\windows\system\WKIFQPT.exe JAZP.exe File opened for modification C:\windows\system\IFDTBDQ.exe KFVF.exe File created C:\windows\system\XGFRU.exe.bat PBSLK.exe File created C:\windows\CNQYXT.exe.bat UADSUM.exe File created C:\windows\system\HFGZ.exe JPTHVPQ.exe File created C:\windows\ROKXHV.exe.bat CXJX.exe File created C:\windows\system\ECLOCB.exe.bat BMWO.exe File opened for modification C:\windows\CNQYXT.exe UADSUM.exe File opened for modification C:\windows\HEX.exe ROKXHV.exe File opened for modification C:\windows\KMYSKT.exe CYLLZV.exe File opened for modification C:\windows\WTTR.exe UGC.exe File created C:\windows\system\XIZG.exe.bat PCUZ.exe File created C:\windows\CXJX.exe BUTBUY.exe File created C:\windows\ZYNPBT.exe.bat ANCZSFR.exe File opened for modification C:\windows\YIUCAZJ.exe JNLYPEJ.exe File created C:\windows\system\OBDFK.exe RMQO.exe File opened for modification C:\windows\system\LQTBZU.exe GKIMJY.exe File created C:\windows\CGLMKWX.exe.bat KYWPYFU.exe File created C:\windows\system\KAQIGS.exe IXGTVE.exe File opened for modification C:\windows\RMQO.exe EAF.exe File opened for modification C:\windows\SIHOXFY.exe SFRSIW.exe File opened for modification C:\windows\system\LXUFKVO.exe OXXC.exe File opened for modification C:\windows\CGLMKWX.exe KYWPYFU.exe File opened for modification C:\windows\system\KAQIGS.exe IXGTVE.exe File created C:\windows\SQSM.exe.bat TFIWM.exe File created C:\windows\system\FEUMYZ.exe EBQJ.exe File opened for modification C:\windows\system\PCUZ.exe FEUMYZ.exe File created C:\windows\system\EDCP.exe.bat BPT.exe File created C:\windows\ZYNPBT.exe ANCZSFR.exe File created C:\windows\system\AOZKSZU.exe OLOWJMZ.exe File opened for modification C:\windows\VLXYQYR.exe CNQYXT.exe File created C:\windows\OUKA.exe.bat VUUP.exe File opened for modification C:\windows\system\NQZSB.exe PXKKSDQ.exe File created C:\windows\system\XIZG.exe PCUZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2524 4648 WerFault.exe 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 2964 3572 WerFault.exe UADSUM.exe 3156 3900 WerFault.exe CNQYXT.exe 3280 2740 WerFault.exe VLXYQYR.exe 4420 2328 WerFault.exe NTMVCPM.exe 1212 3668 WerFault.exe VUUP.exe 3180 4352 WerFault.exe OUKA.exe 4392 4880 WerFault.exe PLSJD.exe 1920 1848 WerFault.exe EAF.exe 1912 3568 WerFault.exe RMQO.exe 3080 2964 WerFault.exe OBDFK.exe 2996 3132 WerFault.exe ZUTQT.exe 4660 368 WerFault.exe TFIWM.exe 3656 536 WerFault.exe SQSM.exe 4388 4516 WerFault.exe YLEF.exe 4500 4384 WerFault.exe GRJL.exe 1012 2280 WerFault.exe DRS.exe 2140 756 WerFault.exe AHGFE.exe 2540 4492 WerFault.exe CFLZ.exe 1796 3900 WerFault.exe JYBIE.exe 4832 2864 WerFault.exe EGJELZR.exe 1580 3200 WerFault.exe GTBGWLG.exe 4516 536 WerFault.exe NOMHKZO.exe 1548 4052 WerFault.exe NMU.exe 2576 2644 WerFault.exe CIYJS.exe 3080 1936 WerFault.exe NQRJNK.exe 3620 3040 WerFault.exe YII.exe 2540 5068 WerFault.exe CYPIE.exe 3496 4492 WerFault.exe IUBJSTW.exe 4304 3780 WerFault.exe AMKJ.exe 4344 1476 WerFault.exe RNZO.exe 4144 1444 WerFault.exe BVT.exe 4864 2120 WerFault.exe JTN.exe 5056 1012 WerFault.exe CORQL.exe 2640 4232 WerFault.exe BWRO.exe 1428 2364 WerFault.exe IRDPM.exe 3312 1036 WerFault.exe PXKKSDQ.exe 3692 4200 WerFault.exe NQZSB.exe 2444 3244 WerFault.exe XONMRLN.exe 112 3708 WerFault.exe RBYCXYC.exe 116 4272 WerFault.exe RWCG.exe 1504 1484 WerFault.exe SZSCZY.exe 2844 528 WerFault.exe ANFJCW.exe 2680 1864 WerFault.exe BDNSMHS.exe 3060 3304 WerFault.exe JQRYXFN.exe 4000 2132 WerFault.exe RWEFHL.exe 3088 4668 WerFault.exe EBQJ.exe 3020 5092 WerFault.exe FEUMYZ.exe 2092 4892 WerFault.exe PCUZ.exe 116 3572 WerFault.exe XIZG.exe 3688 3152 WerFault.exe LOHRBKB.exe 3132 1484 WerFault.exe NBQ.exe 4176 528 WerFault.exe LRD.exe 4452 4364 WerFault.exe YXLWMOI.exe 4832 3320 WerFault.exe JPTHVPQ.exe 1848 2996 WerFault.exe HFGZ.exe 4368 5108 WerFault.exe PTTF.exe 4084 2968 WerFault.exe EBUXUQQ.exe 3960 4516 WerFault.exe PBJIE.exe 2952 532 WerFault.exe NRXZUYN.exe 5084 4512 WerFault.exe GUAD.exe 4336 3300 WerFault.exe GKIMJY.exe 3060 4988 WerFault.exe LQTBZU.exe 2840 4496 WerFault.exe MOAKCEQ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exeUADSUM.exeCNQYXT.exeVLXYQYR.exeNTMVCPM.exeVUUP.exeOUKA.exePLSJD.exeEAF.exeRMQO.exeOBDFK.exeZUTQT.exeTFIWM.exeSQSM.exeYLEF.exeDRS.exeAHGFE.exeCFLZ.exeJYBIE.exeEGJELZR.exeGTBGWLG.exeNOMHKZO.exeNMU.exeCIYJS.exeNQRJNK.exeYII.exeCYPIE.exeIUBJSTW.exeAMKJ.exeRNZO.exeBVT.exeJTN.exepid process 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 3572 UADSUM.exe 3572 UADSUM.exe 3900 CNQYXT.exe 3900 CNQYXT.exe 2740 VLXYQYR.exe 2740 VLXYQYR.exe 2328 NTMVCPM.exe 2328 NTMVCPM.exe 3668 VUUP.exe 3668 VUUP.exe 4352 OUKA.exe 4352 OUKA.exe 4880 PLSJD.exe 4880 PLSJD.exe 1848 EAF.exe 1848 EAF.exe 3568 RMQO.exe 3568 RMQO.exe 2964 OBDFK.exe 2964 OBDFK.exe 3132 ZUTQT.exe 3132 ZUTQT.exe 368 TFIWM.exe 368 TFIWM.exe 536 SQSM.exe 536 SQSM.exe 4516 YLEF.exe 4516 YLEF.exe 2280 DRS.exe 2280 DRS.exe 756 AHGFE.exe 756 AHGFE.exe 4492 CFLZ.exe 4492 CFLZ.exe 3900 JYBIE.exe 3900 JYBIE.exe 2864 EGJELZR.exe 2864 EGJELZR.exe 3200 GTBGWLG.exe 3200 GTBGWLG.exe 536 NOMHKZO.exe 536 NOMHKZO.exe 4052 NMU.exe 4052 NMU.exe 2644 CIYJS.exe 2644 CIYJS.exe 1936 NQRJNK.exe 1936 NQRJNK.exe 3040 YII.exe 3040 YII.exe 5068 CYPIE.exe 5068 CYPIE.exe 4492 IUBJSTW.exe 4492 IUBJSTW.exe 3780 AMKJ.exe 3780 AMKJ.exe 1476 RNZO.exe 1476 RNZO.exe 1444 BVT.exe 1444 BVT.exe 2120 JTN.exe 2120 JTN.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exeUADSUM.exeCNQYXT.exeVLXYQYR.exeNTMVCPM.exeVUUP.exeOUKA.exePLSJD.exeEAF.exeRMQO.exeOBDFK.exeZUTQT.exeTFIWM.exeSQSM.exeYLEF.exeDRS.exeAHGFE.exeCFLZ.exeJYBIE.exeEGJELZR.exeGTBGWLG.exeNOMHKZO.exeNMU.exeCIYJS.exeNQRJNK.exeYII.exeCYPIE.exeIUBJSTW.exeAMKJ.exeRNZO.exeBVT.exeJTN.exepid process 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 3572 UADSUM.exe 3572 UADSUM.exe 3900 CNQYXT.exe 3900 CNQYXT.exe 2740 VLXYQYR.exe 2740 VLXYQYR.exe 2328 NTMVCPM.exe 2328 NTMVCPM.exe 3668 VUUP.exe 3668 VUUP.exe 4352 OUKA.exe 4352 OUKA.exe 4880 PLSJD.exe 4880 PLSJD.exe 1848 EAF.exe 1848 EAF.exe 3568 RMQO.exe 3568 RMQO.exe 2964 OBDFK.exe 2964 OBDFK.exe 3132 ZUTQT.exe 3132 ZUTQT.exe 368 TFIWM.exe 368 TFIWM.exe 536 SQSM.exe 536 SQSM.exe 4516 YLEF.exe 4516 YLEF.exe 2280 DRS.exe 2280 DRS.exe 756 AHGFE.exe 756 AHGFE.exe 4492 CFLZ.exe 4492 CFLZ.exe 3900 JYBIE.exe 3900 JYBIE.exe 2864 EGJELZR.exe 2864 EGJELZR.exe 3200 GTBGWLG.exe 3200 GTBGWLG.exe 536 NOMHKZO.exe 536 NOMHKZO.exe 4052 NMU.exe 4052 NMU.exe 2644 CIYJS.exe 2644 CIYJS.exe 1936 NQRJNK.exe 1936 NQRJNK.exe 3040 YII.exe 3040 YII.exe 5068 CYPIE.exe 5068 CYPIE.exe 4492 IUBJSTW.exe 4492 IUBJSTW.exe 3780 AMKJ.exe 3780 AMKJ.exe 1476 RNZO.exe 1476 RNZO.exe 1444 BVT.exe 1444 BVT.exe 2120 JTN.exe 2120 JTN.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.execmd.exeUADSUM.execmd.exeCNQYXT.execmd.exeVLXYQYR.execmd.exeNTMVCPM.execmd.exeVUUP.execmd.exeOUKA.execmd.exePLSJD.execmd.exeEAF.execmd.exeRMQO.execmd.exeOBDFK.execmd.exedescription pid process target process PID 4648 wrote to memory of 1080 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 4648 wrote to memory of 1080 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 4648 wrote to memory of 1080 4648 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 1080 wrote to memory of 3572 1080 cmd.exe UADSUM.exe PID 1080 wrote to memory of 3572 1080 cmd.exe UADSUM.exe PID 1080 wrote to memory of 3572 1080 cmd.exe UADSUM.exe PID 3572 wrote to memory of 2896 3572 UADSUM.exe cmd.exe PID 3572 wrote to memory of 2896 3572 UADSUM.exe cmd.exe PID 3572 wrote to memory of 2896 3572 UADSUM.exe cmd.exe PID 2896 wrote to memory of 3900 2896 cmd.exe CNQYXT.exe PID 2896 wrote to memory of 3900 2896 cmd.exe CNQYXT.exe PID 2896 wrote to memory of 3900 2896 cmd.exe CNQYXT.exe PID 3900 wrote to memory of 1040 3900 CNQYXT.exe cmd.exe PID 3900 wrote to memory of 1040 3900 CNQYXT.exe cmd.exe PID 3900 wrote to memory of 1040 3900 CNQYXT.exe cmd.exe PID 1040 wrote to memory of 2740 1040 cmd.exe VLXYQYR.exe PID 1040 wrote to memory of 2740 1040 cmd.exe VLXYQYR.exe PID 1040 wrote to memory of 2740 1040 cmd.exe VLXYQYR.exe PID 2740 wrote to memory of 3892 2740 VLXYQYR.exe cmd.exe PID 2740 wrote to memory of 3892 2740 VLXYQYR.exe cmd.exe PID 2740 wrote to memory of 3892 2740 VLXYQYR.exe cmd.exe PID 3892 wrote to memory of 2328 3892 cmd.exe NTMVCPM.exe PID 3892 wrote to memory of 2328 3892 cmd.exe NTMVCPM.exe PID 3892 wrote to memory of 2328 3892 cmd.exe NTMVCPM.exe PID 2328 wrote to memory of 5092 2328 NTMVCPM.exe cmd.exe PID 2328 wrote to memory of 5092 2328 NTMVCPM.exe cmd.exe PID 2328 wrote to memory of 5092 2328 NTMVCPM.exe cmd.exe PID 5092 wrote to memory of 3668 5092 cmd.exe VUUP.exe PID 5092 wrote to memory of 3668 5092 cmd.exe VUUP.exe PID 5092 wrote to memory of 3668 5092 cmd.exe VUUP.exe PID 3668 wrote to memory of 3232 3668 VUUP.exe cmd.exe PID 3668 wrote to memory of 3232 3668 VUUP.exe cmd.exe PID 3668 wrote to memory of 3232 3668 VUUP.exe cmd.exe PID 3232 wrote to memory of 4352 3232 cmd.exe OUKA.exe PID 3232 wrote to memory of 4352 3232 cmd.exe OUKA.exe PID 3232 wrote to memory of 4352 3232 cmd.exe OUKA.exe PID 4352 wrote to memory of 2220 4352 OUKA.exe cmd.exe PID 4352 wrote to memory of 2220 4352 OUKA.exe cmd.exe PID 4352 wrote to memory of 2220 4352 OUKA.exe cmd.exe PID 2220 wrote to memory of 4880 2220 cmd.exe PLSJD.exe PID 2220 wrote to memory of 4880 2220 cmd.exe PLSJD.exe PID 2220 wrote to memory of 4880 2220 cmd.exe PLSJD.exe PID 4880 wrote to memory of 4020 4880 PLSJD.exe cmd.exe PID 4880 wrote to memory of 4020 4880 PLSJD.exe cmd.exe PID 4880 wrote to memory of 4020 4880 PLSJD.exe cmd.exe PID 4020 wrote to memory of 1848 4020 cmd.exe EAF.exe PID 4020 wrote to memory of 1848 4020 cmd.exe EAF.exe PID 4020 wrote to memory of 1848 4020 cmd.exe EAF.exe PID 1848 wrote to memory of 1844 1848 EAF.exe cmd.exe PID 1848 wrote to memory of 1844 1848 EAF.exe cmd.exe PID 1848 wrote to memory of 1844 1848 EAF.exe cmd.exe PID 1844 wrote to memory of 3568 1844 cmd.exe RMQO.exe PID 1844 wrote to memory of 3568 1844 cmd.exe RMQO.exe PID 1844 wrote to memory of 3568 1844 cmd.exe RMQO.exe PID 3568 wrote to memory of 756 3568 RMQO.exe cmd.exe PID 3568 wrote to memory of 756 3568 RMQO.exe cmd.exe PID 3568 wrote to memory of 756 3568 RMQO.exe cmd.exe PID 756 wrote to memory of 2964 756 cmd.exe OBDFK.exe PID 756 wrote to memory of 2964 756 cmd.exe OBDFK.exe PID 756 wrote to memory of 2964 756 cmd.exe OBDFK.exe PID 2964 wrote to memory of 1884 2964 OBDFK.exe cmd.exe PID 2964 wrote to memory of 1884 2964 OBDFK.exe cmd.exe PID 2964 wrote to memory of 1884 2964 OBDFK.exe cmd.exe PID 1884 wrote to memory of 3132 1884 cmd.exe ZUTQT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UADSUM.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\windows\SysWOW64\UADSUM.exeC:\windows\system32\UADSUM.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CNQYXT.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\windows\CNQYXT.exeC:\windows\CNQYXT.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLXYQYR.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\windows\VLXYQYR.exeC:\windows\VLXYQYR.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NTMVCPM.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\windows\SysWOW64\NTMVCPM.exeC:\windows\system32\NTMVCPM.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VUUP.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\windows\SysWOW64\VUUP.exeC:\windows\system32\VUUP.exe11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OUKA.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\windows\OUKA.exeC:\windows\OUKA.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PLSJD.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\windows\PLSJD.exeC:\windows\PLSJD.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EAF.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\windows\SysWOW64\EAF.exeC:\windows\system32\EAF.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RMQO.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\windows\RMQO.exeC:\windows\RMQO.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OBDFK.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\windows\system\OBDFK.exeC:\windows\system\OBDFK.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZUTQT.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\windows\system\ZUTQT.exeC:\windows\system\ZUTQT.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TFIWM.exe.bat" "24⤵PID:4228
-
C:\windows\system\TFIWM.exeC:\windows\system\TFIWM.exe25⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SQSM.exe.bat" "26⤵PID:1796
-
C:\windows\SQSM.exeC:\windows\SQSM.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YLEF.exe.bat" "28⤵PID:2132
-
C:\windows\SysWOW64\YLEF.exeC:\windows\system32\YLEF.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GRJL.exe.bat" "30⤵PID:2948
-
C:\windows\SysWOW64\GRJL.exeC:\windows\system32\GRJL.exe31⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DRS.exe.bat" "32⤵PID:5096
-
C:\windows\DRS.exeC:\windows\DRS.exe33⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AHGFE.exe.bat" "34⤵PID:3340
-
C:\windows\AHGFE.exeC:\windows\AHGFE.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CFLZ.exe.bat" "36⤵PID:1960
-
C:\windows\SysWOW64\CFLZ.exeC:\windows\system32\CFLZ.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JYBIE.exe.bat" "38⤵PID:336
-
C:\windows\JYBIE.exeC:\windows\JYBIE.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EGJELZR.exe.bat" "40⤵PID:232
-
C:\windows\system\EGJELZR.exeC:\windows\system\EGJELZR.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GTBGWLG.exe.bat" "42⤵PID:1448
-
C:\windows\GTBGWLG.exeC:\windows\GTBGWLG.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NOMHKZO.exe.bat" "44⤵PID:3252
-
C:\windows\SysWOW64\NOMHKZO.exeC:\windows\system32\NOMHKZO.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMU.exe.bat" "46⤵PID:3740
-
C:\windows\NMU.exeC:\windows\NMU.exe47⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "48⤵PID:3500
-
C:\windows\CIYJS.exeC:\windows\CIYJS.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NQRJNK.exe.bat" "50⤵PID:4584
-
C:\windows\system\NQRJNK.exeC:\windows\system\NQRJNK.exe51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YII.exe.bat" "52⤵PID:3272
-
C:\windows\system\YII.exeC:\windows\system\YII.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CYPIE.exe.bat" "54⤵PID:5020
-
C:\windows\CYPIE.exeC:\windows\CYPIE.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\IUBJSTW.exe.bat" "56⤵PID:1412
-
C:\windows\IUBJSTW.exeC:\windows\IUBJSTW.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AMKJ.exe.bat" "58⤵PID:3632
-
C:\windows\system\AMKJ.exeC:\windows\system\AMKJ.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RNZO.exe.bat" "60⤵PID:3656
-
C:\windows\SysWOW64\RNZO.exeC:\windows\system32\RNZO.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BVT.exe.bat" "62⤵PID:2724
-
C:\windows\system\BVT.exeC:\windows\system\BVT.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JTN.exe.bat" "64⤵PID:4408
-
C:\windows\SysWOW64\JTN.exeC:\windows\system32\JTN.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CORQL.exe.bat" "66⤵PID:4836
-
C:\windows\SysWOW64\CORQL.exeC:\windows\system32\CORQL.exe67⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BWRO.exe.bat" "68⤵PID:4384
-
C:\windows\system\BWRO.exeC:\windows\system\BWRO.exe69⤵
- Checks computer location settings
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRDPM.exe.bat" "70⤵PID:1840
-
C:\windows\SysWOW64\IRDPM.exeC:\windows\system32\IRDPM.exe71⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PXKKSDQ.exe.bat" "72⤵PID:4604
-
C:\windows\system\PXKKSDQ.exeC:\windows\system\PXKKSDQ.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NQZSB.exe.bat" "74⤵PID:1980
-
C:\windows\system\NQZSB.exeC:\windows\system\NQZSB.exe75⤵
- Checks computer location settings
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XONMRLN.exe.bat" "76⤵PID:4352
-
C:\windows\SysWOW64\XONMRLN.exeC:\windows\system32\XONMRLN.exe77⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RBYCXYC.exe.bat" "78⤵PID:2968
-
C:\windows\SysWOW64\RBYCXYC.exeC:\windows\system32\RBYCXYC.exe79⤵
- Checks computer location settings
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RWCG.exe.bat" "80⤵PID:4344
-
C:\windows\system\RWCG.exeC:\windows\system\RWCG.exe81⤵
- Checks computer location settings
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SZSCZY.exe.bat" "82⤵PID:2092
-
C:\windows\SZSCZY.exeC:\windows\SZSCZY.exe83⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANFJCW.exe.bat" "84⤵PID:4584
-
C:\windows\SysWOW64\ANFJCW.exeC:\windows\system32\ANFJCW.exe85⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "86⤵PID:2256
-
C:\windows\system\BDNSMHS.exeC:\windows\system\BDNSMHS.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JQRYXFN.exe.bat" "88⤵PID:2304
-
C:\windows\SysWOW64\JQRYXFN.exeC:\windows\system32\JQRYXFN.exe89⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RWEFHL.exe.bat" "90⤵PID:8
-
C:\windows\SysWOW64\RWEFHL.exeC:\windows\system32\RWEFHL.exe91⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EBQJ.exe.bat" "92⤵PID:3700
-
C:\windows\EBQJ.exeC:\windows\EBQJ.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FEUMYZ.exe.bat" "94⤵PID:3748
-
C:\windows\system\FEUMYZ.exeC:\windows\system\FEUMYZ.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PCUZ.exe.bat" "96⤵PID:1988
-
C:\windows\system\PCUZ.exeC:\windows\system\PCUZ.exe97⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XIZG.exe.bat" "98⤵PID:1280
-
C:\windows\system\XIZG.exeC:\windows\system\XIZG.exe99⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LOHRBKB.exe.bat" "100⤵PID:3468
-
C:\windows\LOHRBKB.exeC:\windows\LOHRBKB.exe101⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\NBQ.exe.bat" "102⤵PID:1080
-
C:\windows\SysWOW64\NBQ.exeC:\windows\system32\NBQ.exe103⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LRD.exe.bat" "104⤵PID:2160
-
C:\windows\SysWOW64\LRD.exeC:\windows\system32\LRD.exe105⤵
- Checks computer location settings
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YXLWMOI.exe.bat" "106⤵PID:4604
-
C:\windows\YXLWMOI.exeC:\windows\YXLWMOI.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JPTHVPQ.exe.bat" "108⤵PID:1980
-
C:\windows\system\JPTHVPQ.exeC:\windows\system\JPTHVPQ.exe109⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HFGZ.exe.bat" "110⤵PID:3508
-
C:\windows\system\HFGZ.exeC:\windows\system\HFGZ.exe111⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PTTF.exe.bat" "112⤵PID:4388
-
C:\windows\system\PTTF.exeC:\windows\system\PTTF.exe113⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EBUXUQQ.exe.bat" "114⤵PID:3244
-
C:\windows\SysWOW64\EBUXUQQ.exeC:\windows\system32\EBUXUQQ.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PBJIE.exe.bat" "116⤵PID:4884
-
C:\windows\PBJIE.exeC:\windows\PBJIE.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NRXZUYN.exe.bat" "118⤵PID:4032
-
C:\windows\NRXZUYN.exeC:\windows\NRXZUYN.exe119⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GUAD.exe.bat" "120⤵PID:4228
-
C:\windows\GUAD.exeC:\windows\GUAD.exe121⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GKIMJY.exe.bat" "122⤵PID:4948
-
C:\windows\GKIMJY.exeC:\windows\GKIMJY.exe123⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\LQTBZU.exe.bat" "124⤵PID:232
-
C:\windows\system\LQTBZU.exeC:\windows\system\LQTBZU.exe125⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MOAKCEQ.exe.bat" "126⤵PID:1576
-
C:\windows\system\MOAKCEQ.exeC:\windows\system\MOAKCEQ.exe127⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OLOWJMZ.exe.bat" "128⤵PID:4796
-
C:\windows\SysWOW64\OLOWJMZ.exeC:\windows\system32\OLOWJMZ.exe129⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AOZKSZU.exe.bat" "130⤵PID:4908
-
C:\windows\system\AOZKSZU.exeC:\windows\system\AOZKSZU.exe131⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RXFP.exe.bat" "132⤵PID:4144
-
C:\windows\system\RXFP.exeC:\windows\system\RXFP.exe133⤵PID:2276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BUTBUY.exe.bat" "134⤵PID:2576
-
C:\windows\BUTBUY.exeC:\windows\BUTBUY.exe135⤵
- Drops file in Windows directory
PID:112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CXJX.exe.bat" "136⤵PID:2176
-
C:\windows\CXJX.exeC:\windows\CXJX.exe137⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ROKXHV.exe.bat" "138⤵PID:3180
-
C:\windows\ROKXHV.exeC:\windows\ROKXHV.exe139⤵
- Drops file in Windows directory
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HEX.exe.bat" "140⤵PID:3900
-
C:\windows\HEX.exeC:\windows\HEX.exe141⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YMM.exe.bat" "142⤵PID:1448
-
C:\windows\system\YMM.exeC:\windows\system\YMM.exe143⤵
- Checks computer location settings
PID:696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VENOOXQ.exe.bat" "144⤵PID:4304
-
C:\windows\VENOOXQ.exeC:\windows\VENOOXQ.exe145⤵
- Checks computer location settings
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAZP.exe.bat" "146⤵PID:3716
-
C:\windows\SysWOW64\JAZP.exeC:\windows\system32\JAZP.exe147⤵
- Drops file in Windows directory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WKIFQPT.exe.bat" "148⤵PID:4648
-
C:\windows\system\WKIFQPT.exeC:\windows\system\WKIFQPT.exe149⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\INST.exe.bat" "150⤵PID:3088
-
C:\windows\INST.exeC:\windows\INST.exe151⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FOC.exe.bat" "152⤵PID:3528
-
C:\windows\FOC.exeC:\windows\FOC.exe153⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LJOW.exe.bat" "154⤵PID:2720
-
C:\windows\SysWOW64\LJOW.exeC:\windows\system32\LJOW.exe155⤵
- Drops file in System32 directory
PID:3732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XZHWEY.exe.bat" "156⤵PID:1916
-
C:\windows\SysWOW64\XZHWEY.exeC:\windows\system32\XZHWEY.exe157⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DMGXJB.exe.bat" "158⤵PID:2204
-
C:\windows\DMGXJB.exeC:\windows\DMGXJB.exe159⤵
- Checks computer location settings
PID:5088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KFVF.exe.bat" "160⤵PID:4992
-
C:\windows\KFVF.exeC:\windows\KFVF.exe161⤵
- Drops file in Windows directory
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IFDTBDQ.exe.bat" "162⤵PID:2428
-
C:\windows\system\IFDTBDQ.exeC:\windows\system\IFDTBDQ.exe163⤵
- Checks computer location settings
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UIN.exe.bat" "164⤵PID:3608
-
C:\windows\UIN.exeC:\windows\UIN.exe165⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EGTAAQ.exe.bat" "166⤵PID:3108
-
C:\windows\SysWOW64\EGTAAQ.exeC:\windows\system32\EGTAAQ.exe167⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XJXWF.exe.bat" "168⤵PID:4060
-
C:\windows\system\XJXWF.exeC:\windows\system\XJXWF.exe169⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZSFT.exe.bat" "170⤵PID:2588
-
C:\windows\SysWOW64\ZSFT.exeC:\windows\system32\ZSFT.exe171⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BPT.exe.bat" "172⤵PID:4460
-
C:\windows\BPT.exeC:\windows\BPT.exe173⤵
- Drops file in Windows directory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EDCP.exe.bat" "174⤵PID:1240
-
C:\windows\system\EDCP.exeC:\windows\system\EDCP.exe175⤵PID:1936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WGIHN.exe.bat" "176⤵PID:4584
-
C:\windows\system\WGIHN.exeC:\windows\system\WGIHN.exe177⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ALB.exe.bat" "178⤵PID:3272
-
C:\windows\SysWOW64\ALB.exeC:\windows\system32\ALB.exe179⤵PID:368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IRF.exe.bat" "180⤵PID:3292
-
C:\windows\system\IRF.exeC:\windows\system\IRF.exe181⤵
- Drops file in System32 directory
PID:4392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RZHISS.exe.bat" "182⤵PID:4336
-
C:\windows\SysWOW64\RZHISS.exeC:\windows\system32\RZHISS.exe183⤵PID:2864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZFUPCR.exe.bat" "184⤵PID:5064
-
C:\windows\ZFUPCR.exeC:\windows\ZFUPCR.exe185⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIY.exe.bat" "186⤵PID:2372
-
C:\windows\SysWOW64\SIY.exeC:\windows\system32\SIY.exe187⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ANCZSFR.exe.bat" "188⤵PID:2964
-
C:\windows\SysWOW64\ANCZSFR.exeC:\windows\system32\ANCZSFR.exe189⤵
- Drops file in Windows directory
PID:3140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZYNPBT.exe.bat" "190⤵PID:2272
-
C:\windows\ZYNPBT.exeC:\windows\ZYNPBT.exe191⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\HMSWMS.exe.bat" "192⤵PID:4864
-
C:\windows\SysWOW64\HMSWMS.exeC:\windows\system32\HMSWMS.exe193⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CWIM.exe.bat" "194⤵PID:2640
-
C:\windows\SysWOW64\CWIM.exeC:\windows\system32\CWIM.exe195⤵PID:2172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EMO.exe.bat" "196⤵PID:4452
-
C:\windows\system\EMO.exeC:\windows\system\EMO.exe197⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SSOSJOO.exe.bat" "198⤵PID:5028
-
C:\windows\SSOSJOO.exeC:\windows\SSOSJOO.exe199⤵
- Checks computer location settings
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JACXWFR.exe.bat" "200⤵PID:536
-
C:\windows\system\JACXWFR.exeC:\windows\system\JACXWFR.exe201⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XVAJTN.exe.bat" "202⤵PID:1236
-
C:\windows\system\XVAJTN.exeC:\windows\system\XVAJTN.exe203⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KYWPYFU.exe.bat" "204⤵PID:4892
-
C:\windows\SysWOW64\KYWPYFU.exeC:\windows\system32\KYWPYFU.exe205⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CGLMKWX.exe.bat" "206⤵PID:4344
-
C:\windows\CGLMKWX.exeC:\windows\CGLMKWX.exe207⤵
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\THN.exe.bat" "208⤵PID:3052
-
C:\windows\SysWOW64\THN.exeC:\windows\system32\THN.exe209⤵
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BUZ.exe.bat" "210⤵PID:3252
-
C:\windows\SysWOW64\BUZ.exeC:\windows\system32\BUZ.exe211⤵
- Drops file in System32 directory
PID:4780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IKAXFN.exe.bat" "212⤵PID:4516
-
C:\windows\SysWOW64\IKAXFN.exeC:\windows\system32\IKAXFN.exe213⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LYRHRGZ.exe.bat" "214⤵PID:2356
-
C:\windows\LYRHRGZ.exeC:\windows\LYRHRGZ.exe215⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MBVD.exe.bat" "216⤵PID:1388
-
C:\windows\system\MBVD.exeC:\windows\system\MBVD.exe217⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SWZEK.exe.bat" "218⤵PID:2628
-
C:\windows\system\SWZEK.exeC:\windows\system\SWZEK.exe219⤵PID:3648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WEN.exe.bat" "220⤵PID:2204
-
C:\windows\WEN.exeC:\windows\WEN.exe221⤵
- Checks computer location settings
PID:3268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SEPGAHO.exe.bat" "222⤵PID:2160
-
C:\windows\system\SEPGAHO.exeC:\windows\system\SEPGAHO.exe223⤵PID:984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PKVD.exe.bat" "224⤵PID:4356
-
C:\windows\system\PKVD.exeC:\windows\system\PKVD.exe225⤵
- Drops file in Windows directory
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IXGTVE.exe.bat" "226⤵PID:244
-
C:\windows\system\IXGTVE.exeC:\windows\system\IXGTVE.exe227⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KAQIGS.exe.bat" "228⤵PID:4032
-
C:\windows\system\KAQIGS.exeC:\windows\system\KAQIGS.exe229⤵
- Checks computer location settings
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PBSLK.exe.bat" "230⤵PID:3200
-
C:\windows\PBSLK.exeC:\windows\PBSLK.exe231⤵
- Drops file in Windows directory
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XGFRU.exe.bat" "232⤵PID:1496
-
C:\windows\system\XGFRU.exeC:\windows\system\XGFRU.exe233⤵
- Checks computer location settings
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EWG.exe.bat" "234⤵PID:2300
-
C:\windows\SysWOW64\EWG.exeC:\windows\system32\EWG.exe235⤵
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YPV.exe.bat" "236⤵PID:2732
-
C:\windows\SysWOW64\YPV.exeC:\windows\system32\YPV.exe237⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXXHW.exe.bat" "238⤵PID:3012
-
C:\windows\SysWOW64\PXXHW.exeC:\windows\system32\PXXHW.exe239⤵
- Checks computer location settings
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KKGIH.exe.bat" "240⤵PID:4088
-
C:\windows\KKGIH.exeC:\windows\KKGIH.exe241⤵PID:1772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZAHI.exe.bat" "242⤵PID:4528