Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/06/2024, 19:59
Behavioral task
behavioral1
Sample
d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
General
-
Target
d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
-
Size
448KB
-
MD5
d41eac03cf654c9e4657ad9fdc374fd0
-
SHA1
83a7997fdbeee20cb9991b0770d55539e04d374a
-
SHA256
02e383641d1bee1031cb12872c7fa9782b8de3bda07f2cfb1613aa19cadf046e
-
SHA512
98351697d45eba18bc12111f8c2f299e2d0e612ce85eba844a8392810ea24a4f9348adc5a769076ae604cdcedf7c1c8d13a14250ded528ea8650cc2ca20bd927
-
SSDEEP
6144:5QaQvgqRJLU/UkEjiPISUOgW9X+hOGzC/NM:5jQ1tkmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 19 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000900000002340c-9.dat family_berbew behavioral2/files/0x0003000000022978-12.dat family_berbew behavioral2/files/0x000c000000023382-34.dat family_berbew behavioral2/files/0x000a00000002341b-45.dat family_berbew behavioral2/files/0x0005000000022ac6-58.dat family_berbew behavioral2/files/0x0010000000021f87-70.dat family_berbew behavioral2/files/0x0007000000022ac4-80.dat family_berbew behavioral2/files/0x0009000000023387-94.dat family_berbew behavioral2/files/0x0006000000022ac3-117.dat family_berbew behavioral2/files/0x000f000000023399-129.dat family_berbew behavioral2/files/0x0012000000023379-143.dat family_berbew behavioral2/files/0x001400000002339f-152.dat family_berbew behavioral2/files/0x0014000000023397-165.dat family_berbew behavioral2/files/0x00110000000233a5-190.dat family_berbew behavioral2/files/0x0020000000023413-202.dat family_berbew behavioral2/files/0x0019000000023410-213.dat family_berbew behavioral2/files/0x000d000000023421-226.dat family_berbew behavioral2/files/0x000d000000023422-237.dat family_berbew behavioral2/files/0x001f00000002339d-249.dat family_berbew -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YEKPS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AYCUM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WLYNN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QYGCE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation JNCQGQT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation PHLDSBL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VMHDWT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UZCO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NZRHI.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ECENK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TWQQJAE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EMA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QKXW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DHPOGRX.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DSYXFAW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XWDTLR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XXSD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NKLRQJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZSNAAG.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RVUKPE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UOMRYV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EYLY.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation JTMV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QLDHLHL.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FOT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation UWPRE.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ICLKZA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BCLEW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation LVUDIHS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WLLQIAO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CXBQZ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OSMFWLO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EPQHUF.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EEJFDQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation NTZNVRR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GST.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZGGLAT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation MOT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HOTP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HIYGIMR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation VWU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CTDU.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KZR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZHOT.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation CFIYXDB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SLBPZXN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation PWUSV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DVFVWNA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation PPCUB.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SKNEZM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TLAP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QHKM.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZSTXEII.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation QUMGLFV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TWH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OYTQ.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ZCS.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FMEAXH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FSKF.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TGCIDK.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RGSD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TTTNWV.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation EWO.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BDNSMHS.exe -
Executes dropped EXE 64 IoCs
pid Process 2400 OCAHWPM.exe 996 IYFQ.exe 3680 VWU.exe 2280 KRDVXI.exe 4984 SEICHH.exe 4384 GST.exe 4672 NIUU.exe 4728 WLLQIAO.exe 1988 NTZNVRR.exe 1504 ZGGLAT.exe 2908 DMQAQO.exe 1204 CXBQZ.exe 560 JNCQGQT.exe 3380 OSMFWLO.exe 2168 DINWVG.exe 4020 ELESJQ.exe 3536 NMG.exe 4880 KMPIYRQ.exe 4408 RXFQQ.exe 1680 JAI.exe 2584 DSYXFAW.exe 1360 SIZWM.exe 2396 YEKPS.exe 2992 ZHOT.exe 4080 VMHIVDX.exe 4208 LCIZUY.exe 3984 EVPKLR.exe 320 XYT.exe 1060 OYH.exe 3760 JTMV.exe 836 PHLDSBL.exe 608 QKB.exe 60 VKJNQ.exe 2820 LAKE.exe 4652 WBZP.exe 4624 XWDTLR.exe 3288 MMEK.exe 4688 IRDPM.exe 2592 CFIYXDB.exe 812 WSHWCF.exe 5036 ZICLKK.exe 1484 TWH.exe 3252 IRQYFX.exe 4752 LZZVM.exe 3724 CPYY.exe 4884 KCLFJJ.exe 3592 BDNSMHS.exe 1356 SLBPZXN.exe 3360 CTDU.exe 1240 COTQRE.exe 1544 XKY.exe 2992 FPD.exe 1532 RFJOY.exe 640 OYTQ.exe 3052 BICPQCB.exe 1428 QYDGXX.exe 4408 GOQ.exe 4184 XXSD.exe 1544 MNFVYRX.exe 1680 NQJ.exe 3380 VVW.exe 4640 GOL.exe 4440 MOT.exe 4384 PWUSV.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\windows\SysWOW64\PPCUB.exe.bat PWUSV.exe File created C:\windows\SysWOW64\QLDHLHL.exe PIR.exe File opened for modification C:\windows\SysWOW64\DVFVWNA.exe QKXW.exe File opened for modification C:\windows\SysWOW64\EVPKLR.exe LCIZUY.exe File opened for modification C:\windows\SysWOW64\JAI.exe RXFQQ.exe File created C:\windows\SysWOW64\MMEK.exe XWDTLR.exe File created C:\windows\SysWOW64\NDSMH.exe.bat XNTJVN.exe File created C:\windows\SysWOW64\RLLRKKF.exe DACA.exe File created C:\windows\SysWOW64\EWO.exe LTKJ.exe File created C:\windows\SysWOW64\IXN.exe.bat OKIHPG.exe File created C:\windows\SysWOW64\TLAP.exe WLYNN.exe File created C:\windows\SysWOW64\OSMFWLO.exe.bat JNCQGQT.exe File created C:\windows\SysWOW64\MOT.exe.bat GOL.exe File created C:\windows\SysWOW64\BUOHO.exe.bat IQXVJYZ.exe File opened for modification C:\windows\SysWOW64\BQP.exe LLQS.exe File opened for modification C:\windows\SysWOW64\DSYWCH.exe ZCS.exe File created C:\windows\SysWOW64\JIEVB.exe.bat DVFVWNA.exe File created C:\windows\SysWOW64\ELESJQ.exe DINWVG.exe File created C:\windows\SysWOW64\LCIZUY.exe.bat VMHIVDX.exe File opened for modification C:\windows\SysWOW64\WSHWCF.exe CFIYXDB.exe File created C:\windows\SysWOW64\NZRHI.exe.bat FMEAXH.exe File created C:\windows\SysWOW64\IYFQ.exe OCAHWPM.exe File created C:\windows\SysWOW64\NZRHI.exe FMEAXH.exe File opened for modification C:\windows\SysWOW64\BKDXUHZ.exe TWQQJAE.exe File created C:\windows\SysWOW64\XUPAMF.exe PPCUB.exe File created C:\windows\SysWOW64\PIR.exe.bat NKLRQJ.exe File created C:\windows\SysWOW64\YGIDTL.exe RLLRKKF.exe File created C:\windows\SysWOW64\OZP.exe.bat BWLZ.exe File created C:\windows\SysWOW64\JDZIXQ.exe VXTTI.exe File created C:\windows\SysWOW64\COTQRE.exe CTDU.exe File opened for modification C:\windows\SysWOW64\OSMFWLO.exe JNCQGQT.exe File opened for modification C:\windows\SysWOW64\JIEVB.exe DVFVWNA.exe File created C:\windows\SysWOW64\WPM.exe.bat QUMGLFV.exe File created C:\windows\SysWOW64\CPYY.exe.bat LZZVM.exe File created C:\windows\SysWOW64\MOT.exe GOL.exe File opened for modification C:\windows\SysWOW64\ZCS.exe ZXR.exe File created C:\windows\SysWOW64\JIEVB.exe DVFVWNA.exe File created C:\windows\SysWOW64\JDZIXQ.exe.bat VXTTI.exe File opened for modification C:\windows\SysWOW64\KMPIYRQ.exe NMG.exe File created C:\windows\SysWOW64\SWMC.exe GOXUFFF.exe File created C:\windows\SysWOW64\RVUKPE.exe FSKF.exe File opened for modification C:\windows\SysWOW64\QKB.exe PHLDSBL.exe File created C:\windows\SysWOW64\BEFQ.exe.bat RGSD.exe File created C:\windows\SysWOW64\EEJFDQ.exe JIEVB.exe File created C:\windows\SysWOW64\UELOYE.exe.bat MYYHNF.exe File opened for modification C:\windows\SysWOW64\XUPAMF.exe PPCUB.exe File created C:\windows\SysWOW64\QKXW.exe QHTSCVD.exe File created C:\windows\SysWOW64\EWO.exe.bat LTKJ.exe File created C:\windows\SysWOW64\ZICLKK.exe.bat WSHWCF.exe File created C:\windows\SysWOW64\COTQRE.exe.bat CTDU.exe File opened for modification C:\windows\SysWOW64\SWMC.exe GOXUFFF.exe File created C:\windows\SysWOW64\IRDPM.exe MMEK.exe File created C:\windows\SysWOW64\WSHWCF.exe CFIYXDB.exe File created C:\windows\SysWOW64\BQP.exe LLQS.exe File created C:\windows\SysWOW64\YETXJ.exe.bat MMQ.exe File created C:\windows\SysWOW64\EVPKLR.exe.bat LCIZUY.exe File opened for modification C:\windows\SysWOW64\UZCO.exe HOTP.exe File created C:\windows\SysWOW64\DHPOGRX.exe IMKFVR.exe File created C:\windows\SysWOW64\VZNUYBZ.exe.bat QWPH.exe File created C:\windows\SysWOW64\SEICHH.exe.bat KRDVXI.exe File created C:\windows\SysWOW64\XYT.exe EVPKLR.exe File created C:\windows\SysWOW64\VMHDWT.exe AYCUM.exe File opened for modification C:\windows\SysWOW64\VMHDWT.exe AYCUM.exe File opened for modification C:\windows\SysWOW64\YGIDTL.exe RLLRKKF.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\system\QYGCE.exe BDWXTBA.exe File created C:\windows\system\EPDPBM.exe.bat OZP.exe File opened for modification C:\windows\JTMV.exe OYH.exe File created C:\windows\LAKE.exe VKJNQ.exe File created C:\windows\system\OYTQ.exe RFJOY.exe File created C:\windows\system\SKPCSQM.exe UZM.exe File created C:\windows\ECENK.exe SKPCSQM.exe File opened for modification C:\windows\system\BDWXTBA.exe RVUKPE.exe File created C:\windows\system\VXTTI.exe HMXNDP.exe File opened for modification C:\windows\system\LLQS.exe ZSN.exe File opened for modification C:\windows\system\RFJOY.exe FPD.exe File created C:\windows\ZXR.exe VPL.exe File created C:\windows\system\FSKF.exe BKDXUHZ.exe File created C:\windows\system\QEGQFB.exe QYGCE.exe File created C:\windows\system\QUMGLFV.exe.bat UWPRE.exe File opened for modification C:\windows\HMXNDP.exe WPM.exe File created C:\windows\ZSXZ.exe KXANR.exe File opened for modification C:\windows\system\VWU.exe IYFQ.exe File created C:\windows\system\VMHIVDX.exe ZHOT.exe File opened for modification C:\windows\MNFVYRX.exe XXSD.exe File created C:\windows\system\HOTM.exe UELOYE.exe File created C:\windows\system\WFS.exe.bat XUPAMF.exe File opened for modification C:\windows\system\AVY.exe WFS.exe File created C:\windows\HOTP.exe ZJHJ.exe File opened for modification C:\windows\system\UWPRE.exe ZBKA.exe File created C:\windows\system\MMQ.exe EYLY.exe File created C:\windows\GZE.exe HOTM.exe File created C:\windows\system\CXBQZ.exe DMQAQO.exe File opened for modification C:\windows\ECVHAVE.exe BUOHO.exe File created C:\windows\WLYNN.exe AFS.exe File created C:\windows\TGSKKGH.exe ZSNAAG.exe File opened for modification C:\windows\system\IZXMBYY.exe DWT.exe File created C:\windows\ZSN.exe FXIQMG.exe File created C:\windows\system\NQM.exe.bat DSYWCH.exe File created C:\windows\ECENK.exe.bat SKPCSQM.exe File created C:\windows\OAAGT.exe AFPNF.exe File created C:\windows\system\HIYGIMR.exe IXN.exe File created C:\windows\system\DMQAQO.exe.bat ZGGLAT.exe File created C:\windows\GOQ.exe.bat QYDGXX.exe File created C:\windows\MNFVYRX.exe.bat XXSD.exe File created C:\windows\VVW.exe NQJ.exe File created C:\windows\system\TWIR.exe.bat TLAP.exe File opened for modification C:\windows\FBAV.exe TTTNWV.exe File created C:\windows\OCAHWPM.exe.bat d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe File created C:\windows\system\WBZP.exe LAKE.exe File opened for modification C:\windows\system\GPT.exe KZR.exe File created C:\windows\system\QUMGLFV.exe UWPRE.exe File created C:\windows\FBAV.exe.bat TTTNWV.exe File created C:\windows\FXFH.exe.bat VZNUYBZ.exe File opened for modification C:\windows\system\BDNSMHS.exe KCLFJJ.exe File opened for modification C:\windows\ZXR.exe VPL.exe File opened for modification C:\windows\system\NQM.exe DSYWCH.exe File opened for modification C:\windows\TGSKKGH.exe ZSNAAG.exe File opened for modification C:\windows\system\DWT.exe VELEIV.exe File created C:\windows\system\QYGCE.exe.bat BDWXTBA.exe File opened for modification C:\windows\system\VMHIVDX.exe ZHOT.exe File created C:\windows\system\RFJOY.exe.bat FPD.exe File opened for modification C:\windows\system\QEGQFB.exe QYGCE.exe File opened for modification C:\windows\ZGGLAT.exe NTZNVRR.exe File opened for modification C:\windows\DINWVG.exe OSMFWLO.exe File opened for modification C:\windows\RXFQQ.exe KMPIYRQ.exe File created C:\windows\HOTP.exe.bat ZJHJ.exe File created C:\windows\system\QWPH.exe.bat EWO.exe File created C:\windows\system\TTTNWV.exe.bat BQP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 2300 3840 WerFault.exe 82 4008 2400 WerFault.exe 90 3128 996 WerFault.exe 97 4020 3680 WerFault.exe 102 3320 2280 WerFault.exe 107 1264 4984 WerFault.exe 112 2872 4384 WerFault.exe 117 3660 4672 WerFault.exe 125 2168 4728 WerFault.exe 133 320 1988 WerFault.exe 139 4864 1504 WerFault.exe 144 4456 2908 WerFault.exe 149 4396 1204 WerFault.exe 155 4036 560 WerFault.exe 160 2792 3380 WerFault.exe 165 320 2168 WerFault.exe 171 4864 4020 WerFault.exe 177 1668 3536 WerFault.exe 182 4184 4880 WerFault.exe 187 2192 4408 WerFault.exe 192 3796 1680 WerFault.exe 197 2216 2584 WerFault.exe 202 1516 1360 WerFault.exe 207 3696 2396 WerFault.exe 212 2076 2992 WerFault.exe 217 1712 4080 WerFault.exe 222 3004 4208 WerFault.exe 227 2600 3984 WerFault.exe 232 5112 320 WerFault.exe 237 4788 1060 WerFault.exe 242 1072 3760 WerFault.exe 247 3536 836 WerFault.exe 252 668 608 WerFault.exe 257 3976 60 WerFault.exe 262 1524 2820 WerFault.exe 267 4628 4652 WerFault.exe 272 1060 4624 WerFault.exe 278 1020 3288 WerFault.exe 283 1952 4688 WerFault.exe 288 4884 2592 WerFault.exe 294 3380 812 WerFault.exe 299 5052 5036 WerFault.exe 303 1592 1484 WerFault.exe 309 3680 3252 WerFault.exe 314 3596 4752 WerFault.exe 319 3584 3724 WerFault.exe 324 4352 4884 WerFault.exe 330 1884 3592 WerFault.exe 335 1204 1356 WerFault.exe 340 3996 3360 WerFault.exe 345 2684 1240 WerFault.exe 350 4712 1544 WerFault.exe 355 4084 2992 WerFault.exe 360 220 1532 WerFault.exe 365 3132 640 WerFault.exe 370 4492 3052 WerFault.exe 375 1388 1428 WerFault.exe 380 3840 4408 WerFault.exe 385 4752 4184 WerFault.exe 390 4152 1544 WerFault.exe 395 1532 1680 WerFault.exe 400 1372 3380 WerFault.exe 405 740 4640 WerFault.exe 410 1760 4440 WerFault.exe 415 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 2400 OCAHWPM.exe 2400 OCAHWPM.exe 996 IYFQ.exe 996 IYFQ.exe 3680 VWU.exe 3680 VWU.exe 2280 KRDVXI.exe 2280 KRDVXI.exe 4984 SEICHH.exe 4984 SEICHH.exe 4384 GST.exe 4384 GST.exe 4672 NIUU.exe 4672 NIUU.exe 4728 WLLQIAO.exe 4728 WLLQIAO.exe 1988 NTZNVRR.exe 1988 NTZNVRR.exe 1504 ZGGLAT.exe 1504 ZGGLAT.exe 2908 DMQAQO.exe 2908 DMQAQO.exe 1204 CXBQZ.exe 1204 CXBQZ.exe 560 JNCQGQT.exe 560 JNCQGQT.exe 3380 OSMFWLO.exe 3380 OSMFWLO.exe 2168 DINWVG.exe 2168 DINWVG.exe 4020 ELESJQ.exe 4020 ELESJQ.exe 3536 NMG.exe 3536 NMG.exe 4880 KMPIYRQ.exe 4880 KMPIYRQ.exe 4408 RXFQQ.exe 4408 RXFQQ.exe 1680 JAI.exe 1680 JAI.exe 2584 DSYXFAW.exe 2584 DSYXFAW.exe 1360 SIZWM.exe 1360 SIZWM.exe 2396 YEKPS.exe 2396 YEKPS.exe 2992 ZHOT.exe 2992 ZHOT.exe 4080 VMHIVDX.exe 4080 VMHIVDX.exe 4208 LCIZUY.exe 4208 LCIZUY.exe 3984 EVPKLR.exe 3984 EVPKLR.exe 320 XYT.exe 320 XYT.exe 1060 OYH.exe 1060 OYH.exe 3760 JTMV.exe 3760 JTMV.exe 836 PHLDSBL.exe 836 PHLDSBL.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 2400 OCAHWPM.exe 2400 OCAHWPM.exe 996 IYFQ.exe 996 IYFQ.exe 3680 VWU.exe 3680 VWU.exe 2280 KRDVXI.exe 2280 KRDVXI.exe 4984 SEICHH.exe 4984 SEICHH.exe 4384 GST.exe 4384 GST.exe 4672 NIUU.exe 4672 NIUU.exe 4728 WLLQIAO.exe 4728 WLLQIAO.exe 1988 NTZNVRR.exe 1988 NTZNVRR.exe 1504 ZGGLAT.exe 1504 ZGGLAT.exe 2908 DMQAQO.exe 2908 DMQAQO.exe 1204 CXBQZ.exe 1204 CXBQZ.exe 560 JNCQGQT.exe 560 JNCQGQT.exe 3380 OSMFWLO.exe 3380 OSMFWLO.exe 2168 DINWVG.exe 2168 DINWVG.exe 4020 ELESJQ.exe 4020 ELESJQ.exe 3536 NMG.exe 3536 NMG.exe 4880 KMPIYRQ.exe 4880 KMPIYRQ.exe 4408 RXFQQ.exe 4408 RXFQQ.exe 1680 JAI.exe 1680 JAI.exe 2584 DSYXFAW.exe 2584 DSYXFAW.exe 1360 SIZWM.exe 1360 SIZWM.exe 2396 YEKPS.exe 2396 YEKPS.exe 2992 ZHOT.exe 2992 ZHOT.exe 4080 VMHIVDX.exe 4080 VMHIVDX.exe 4208 LCIZUY.exe 4208 LCIZUY.exe 3984 EVPKLR.exe 3984 EVPKLR.exe 320 XYT.exe 320 XYT.exe 1060 OYH.exe 1060 OYH.exe 3760 JTMV.exe 3760 JTMV.exe 836 PHLDSBL.exe 836 PHLDSBL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3840 wrote to memory of 532 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 86 PID 3840 wrote to memory of 532 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 86 PID 3840 wrote to memory of 532 3840 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe 86 PID 532 wrote to memory of 2400 532 cmd.exe 90 PID 532 wrote to memory of 2400 532 cmd.exe 90 PID 532 wrote to memory of 2400 532 cmd.exe 90 PID 2400 wrote to memory of 1600 2400 OCAHWPM.exe 92 PID 2400 wrote to memory of 1600 2400 OCAHWPM.exe 92 PID 2400 wrote to memory of 1600 2400 OCAHWPM.exe 92 PID 1600 wrote to memory of 996 1600 cmd.exe 97 PID 1600 wrote to memory of 996 1600 cmd.exe 97 PID 1600 wrote to memory of 996 1600 cmd.exe 97 PID 996 wrote to memory of 2376 996 IYFQ.exe 98 PID 996 wrote to memory of 2376 996 IYFQ.exe 98 PID 996 wrote to memory of 2376 996 IYFQ.exe 98 PID 2376 wrote to memory of 3680 2376 cmd.exe 102 PID 2376 wrote to memory of 3680 2376 cmd.exe 102 PID 2376 wrote to memory of 3680 2376 cmd.exe 102 PID 3680 wrote to memory of 4772 3680 VWU.exe 103 PID 3680 wrote to memory of 4772 3680 VWU.exe 103 PID 3680 wrote to memory of 4772 3680 VWU.exe 103 PID 4772 wrote to memory of 2280 4772 cmd.exe 107 PID 4772 wrote to memory of 2280 4772 cmd.exe 107 PID 4772 wrote to memory of 2280 4772 cmd.exe 107 PID 2280 wrote to memory of 60 2280 KRDVXI.exe 108 PID 2280 wrote to memory of 60 2280 KRDVXI.exe 108 PID 2280 wrote to memory of 60 2280 KRDVXI.exe 108 PID 60 wrote to memory of 4984 60 cmd.exe 112 PID 60 wrote to memory of 4984 60 cmd.exe 112 PID 60 wrote to memory of 4984 60 cmd.exe 112 PID 4984 wrote to memory of 5016 4984 SEICHH.exe 113 PID 4984 wrote to memory of 5016 4984 SEICHH.exe 113 PID 4984 wrote to memory of 5016 4984 SEICHH.exe 113 PID 5016 wrote to memory of 4384 5016 cmd.exe 117 PID 5016 wrote to memory of 4384 5016 cmd.exe 117 PID 5016 wrote to memory of 4384 5016 cmd.exe 117 PID 4384 wrote to memory of 4588 4384 GST.exe 121 PID 4384 wrote to memory of 4588 4384 GST.exe 121 PID 4384 wrote to memory of 4588 4384 GST.exe 121 PID 4588 wrote to memory of 4672 4588 cmd.exe 125 PID 4588 wrote to memory of 4672 4588 cmd.exe 125 PID 4588 wrote to memory of 4672 4588 cmd.exe 125 PID 4672 wrote to memory of 3760 4672 NIUU.exe 128 PID 4672 wrote to memory of 3760 4672 NIUU.exe 128 PID 4672 wrote to memory of 3760 4672 NIUU.exe 128 PID 3760 wrote to memory of 4728 3760 cmd.exe 133 PID 3760 wrote to memory of 4728 3760 cmd.exe 133 PID 3760 wrote to memory of 4728 3760 cmd.exe 133 PID 4728 wrote to memory of 2592 4728 WLLQIAO.exe 135 PID 4728 wrote to memory of 2592 4728 WLLQIAO.exe 135 PID 4728 wrote to memory of 2592 4728 WLLQIAO.exe 135 PID 2592 wrote to memory of 1988 2592 cmd.exe 139 PID 2592 wrote to memory of 1988 2592 cmd.exe 139 PID 2592 wrote to memory of 1988 2592 cmd.exe 139 PID 1988 wrote to memory of 2080 1988 NTZNVRR.exe 140 PID 1988 wrote to memory of 2080 1988 NTZNVRR.exe 140 PID 1988 wrote to memory of 2080 1988 NTZNVRR.exe 140 PID 2080 wrote to memory of 1504 2080 cmd.exe 144 PID 2080 wrote to memory of 1504 2080 cmd.exe 144 PID 2080 wrote to memory of 1504 2080 cmd.exe 144 PID 1504 wrote to memory of 220 1504 ZGGLAT.exe 145 PID 1504 wrote to memory of 220 1504 ZGGLAT.exe 145 PID 1504 wrote to memory of 220 1504 ZGGLAT.exe 145 PID 220 wrote to memory of 2908 220 cmd.exe 149
Processes
-
C:\Users\Admin\AppData\Local\Temp\d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OCAHWPM.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\windows\OCAHWPM.exeC:\windows\OCAHWPM.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IYFQ.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\windows\SysWOW64\IYFQ.exeC:\windows\system32\IYFQ.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VWU.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\windows\system\VWU.exeC:\windows\system\VWU.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KRDVXI.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\windows\KRDVXI.exeC:\windows\KRDVXI.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SEICHH.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\windows\SysWOW64\SEICHH.exeC:\windows\system32\SEICHH.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GST.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\windows\SysWOW64\GST.exeC:\windows\system32\GST.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NIUU.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\windows\NIUU.exeC:\windows\NIUU.exe15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WLLQIAO.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\windows\system\WLLQIAO.exeC:\windows\system\WLLQIAO.exe17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NTZNVRR.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\windows\system\NTZNVRR.exeC:\windows\system\NTZNVRR.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZGGLAT.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\windows\ZGGLAT.exeC:\windows\ZGGLAT.exe21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DMQAQO.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\windows\system\DMQAQO.exeC:\windows\system\DMQAQO.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CXBQZ.exe.bat" "24⤵PID:4988
-
C:\windows\system\CXBQZ.exeC:\windows\system\CXBQZ.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JNCQGQT.exe.bat" "26⤵PID:1668
-
C:\windows\JNCQGQT.exeC:\windows\JNCQGQT.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OSMFWLO.exe.bat" "28⤵PID:2488
-
C:\windows\SysWOW64\OSMFWLO.exeC:\windows\system32\OSMFWLO.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DINWVG.exe.bat" "30⤵PID:2192
-
C:\windows\DINWVG.exeC:\windows\DINWVG.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ELESJQ.exe.bat" "32⤵PID:4760
-
C:\windows\SysWOW64\ELESJQ.exeC:\windows\system32\ELESJQ.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMG.exe.bat" "34⤵PID:2964
-
C:\windows\NMG.exeC:\windows\NMG.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KMPIYRQ.exe.bat" "36⤵PID:3392
-
C:\windows\SysWOW64\KMPIYRQ.exeC:\windows\system32\KMPIYRQ.exe37⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RXFQQ.exe.bat" "38⤵PID:2076
-
C:\windows\RXFQQ.exeC:\windows\RXFQQ.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JAI.exe.bat" "40⤵PID:3296
-
C:\windows\SysWOW64\JAI.exeC:\windows\system32\JAI.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\DSYXFAW.exe.bat" "42⤵PID:1604
-
C:\windows\system\DSYXFAW.exeC:\windows\system\DSYXFAW.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SIZWM.exe.bat" "44⤵PID:4012
-
C:\windows\SysWOW64\SIZWM.exeC:\windows\system32\SIZWM.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YEKPS.exe.bat" "46⤵PID:1612
-
C:\windows\YEKPS.exeC:\windows\YEKPS.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ZHOT.exe.bat" "48⤵PID:4508
-
C:\windows\system\ZHOT.exeC:\windows\system\ZHOT.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VMHIVDX.exe.bat" "50⤵PID:1908
-
C:\windows\system\VMHIVDX.exeC:\windows\system\VMHIVDX.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\LCIZUY.exe.bat" "52⤵PID:1724
-
C:\windows\SysWOW64\LCIZUY.exeC:\windows\system32\LCIZUY.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVPKLR.exe.bat" "54⤵PID:1800
-
C:\windows\SysWOW64\EVPKLR.exeC:\windows\system32\EVPKLR.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XYT.exe.bat" "56⤵PID:1808
-
C:\windows\SysWOW64\XYT.exeC:\windows\system32\XYT.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\OYH.exe.bat" "58⤵PID:4480
-
C:\windows\OYH.exeC:\windows\OYH.exe59⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JTMV.exe.bat" "60⤵PID:5104
-
C:\windows\JTMV.exeC:\windows\JTMV.exe61⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PHLDSBL.exe.bat" "62⤵PID:3088
-
C:\windows\PHLDSBL.exeC:\windows\PHLDSBL.exe63⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QKB.exe.bat" "64⤵PID:1748
-
C:\windows\SysWOW64\QKB.exeC:\windows\system32\QKB.exe65⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VKJNQ.exe.bat" "66⤵PID:1952
-
C:\windows\SysWOW64\VKJNQ.exeC:\windows\system32\VKJNQ.exe67⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LAKE.exe.bat" "68⤵PID:3320
-
C:\windows\LAKE.exeC:\windows\LAKE.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WBZP.exe.bat" "70⤵PID:2288
-
C:\windows\system\WBZP.exeC:\windows\system\WBZP.exe71⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XWDTLR.exe.bat" "72⤵PID:1356
-
C:\windows\XWDTLR.exeC:\windows\XWDTLR.exe73⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MMEK.exe.bat" "74⤵PID:4788
-
C:\windows\SysWOW64\MMEK.exeC:\windows\system32\MMEK.exe75⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IRDPM.exe.bat" "76⤵PID:4880
-
C:\windows\SysWOW64\IRDPM.exeC:\windows\system32\IRDPM.exe77⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CFIYXDB.exe.bat" "78⤵PID:3536
-
C:\windows\system\CFIYXDB.exeC:\windows\system\CFIYXDB.exe79⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WSHWCF.exe.bat" "80⤵PID:4956
-
C:\windows\SysWOW64\WSHWCF.exeC:\windows\system32\WSHWCF.exe81⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\ZICLKK.exe.bat" "82⤵PID:3888
-
C:\windows\SysWOW64\ZICLKK.exeC:\windows\system32\ZICLKK.exe83⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TWH.exe.bat" "84⤵PID:5112
-
C:\windows\SysWOW64\TWH.exeC:\windows\system32\TWH.exe85⤵
- Checks computer location settings
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IRQYFX.exe.bat" "86⤵PID:3768
-
C:\windows\system\IRQYFX.exeC:\windows\system\IRQYFX.exe87⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LZZVM.exe.bat" "88⤵PID:1748
-
C:\windows\LZZVM.exeC:\windows\LZZVM.exe89⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CPYY.exe.bat" "90⤵PID:3840
-
C:\windows\SysWOW64\CPYY.exeC:\windows\system32\CPYY.exe91⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KCLFJJ.exe.bat" "92⤵PID:3716
-
C:\windows\SysWOW64\KCLFJJ.exeC:\windows\system32\KCLFJJ.exe93⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BDNSMHS.exe.bat" "94⤵PID:4516
-
C:\windows\system\BDNSMHS.exeC:\windows\system\BDNSMHS.exe95⤵
- Checks computer location settings
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SLBPZXN.exe.bat" "96⤵PID:4152
-
C:\windows\SysWOW64\SLBPZXN.exeC:\windows\system32\SLBPZXN.exe97⤵
- Checks computer location settings
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CTDU.exe.bat" "98⤵PID:2068
-
C:\windows\system\CTDU.exeC:\windows\system\CTDU.exe99⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\COTQRE.exe.bat" "100⤵PID:1600
-
C:\windows\SysWOW64\COTQRE.exeC:\windows\system32\COTQRE.exe101⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XKY.exe.bat" "102⤵PID:2052
-
C:\windows\system\XKY.exeC:\windows\system\XKY.exe103⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\FPD.exe.bat" "104⤵PID:4404
-
C:\windows\FPD.exeC:\windows\FPD.exe105⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\RFJOY.exe.bat" "106⤵PID:3608
-
C:\windows\system\RFJOY.exeC:\windows\system\RFJOY.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\OYTQ.exe.bat" "108⤵PID:812
-
C:\windows\system\OYTQ.exeC:\windows\system\OYTQ.exe109⤵
- Checks computer location settings
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\BICPQCB.exe.bat" "110⤵PID:4760
-
C:\windows\SysWOW64\BICPQCB.exeC:\windows\system32\BICPQCB.exe111⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QYDGXX.exe.bat" "112⤵PID:4080
-
C:\windows\system\QYDGXX.exeC:\windows\system\QYDGXX.exe113⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GOQ.exe.bat" "114⤵PID:2112
-
C:\windows\GOQ.exeC:\windows\GOQ.exe115⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\XXSD.exe.bat" "116⤵PID:3208
-
C:\windows\XXSD.exeC:\windows\XXSD.exe117⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MNFVYRX.exe.bat" "118⤵PID:3392
-
C:\windows\MNFVYRX.exeC:\windows\MNFVYRX.exe119⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQJ.exe.bat" "120⤵PID:3488
-
C:\windows\NQJ.exeC:\windows\NQJ.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-