Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:18
Behavioral task
behavioral1
Sample
5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe
-
Size
483KB
-
MD5
5997f4cb9f0b863da332731e191882a0
-
SHA1
6daa508d8e92e9e9eb0ed93cc7ccb27b7f40a9cb
-
SHA256
17e5e77efe41e990c2cdc99af3e7bd4b99948473c79a06785fbb272d9c62c9e8
-
SHA512
c13329f3b193d7aeb82216e7e7a4a31c75c29d6c887f12578cfc25cd76924e2d782ce57667ba003de5b69f758e7647eadf3230ccce9055dac7ff5255b9dfb1ad
-
SSDEEP
6144:mcm7ImGddXv/VWrXD486jCpoAhlq1mEjBqLyOSlhNFF2Y:I7TcfNWj168w1VjsyvhNFF2Y
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2156-5-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3108-19-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/5056-25-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1072-14-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1140-12-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2000-37-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/916-54-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3456-65-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2400-71-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4408-77-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4876-89-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4160-95-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2740-105-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3596-111-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1640-117-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3880-122-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4704-126-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1536-137-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4684-158-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4980-163-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4836-177-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3684-182-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4040-188-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4332-195-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4400-209-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/888-215-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1936-225-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3688-229-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2284-239-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2652-250-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4292-257-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4580-264-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/788-268-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4820-276-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/764-277-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2740-283-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3520-298-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4612-304-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4612-309-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1256-327-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2676-331-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4376-336-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1864-335-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3416-350-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2840-384-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1592-385-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2224-406-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1388-410-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/2320-423-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/5108-436-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1704-449-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1508-463-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/208-492-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4304-502-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3588-525-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1124-553-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4776-554-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/3836-665-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/1088-678-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/468-707-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4580-807-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4996-886-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral2/memory/4232-1155-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000023288-3.dat family_berbew behavioral2/files/0x000800000002340c-9.dat family_berbew behavioral2/files/0x0007000000023410-13.dat family_berbew behavioral2/files/0x0007000000023412-29.dat family_berbew behavioral2/files/0x0007000000023411-23.dat family_berbew behavioral2/files/0x0007000000023414-34.dat family_berbew behavioral2/files/0x0007000000023415-41.dat family_berbew behavioral2/files/0x0007000000023416-47.dat family_berbew behavioral2/files/0x0007000000023417-51.dat family_berbew behavioral2/files/0x0007000000023418-58.dat family_berbew behavioral2/files/0x0007000000023419-63.dat family_berbew behavioral2/files/0x000700000002341a-72.dat family_berbew behavioral2/files/0x000700000002341b-75.dat family_berbew behavioral2/files/0x000700000002341c-83.dat family_berbew behavioral2/files/0x000700000002341d-90.dat family_berbew behavioral2/files/0x000700000002341e-94.dat family_berbew behavioral2/files/0x000800000002340d-99.dat family_berbew behavioral2/files/0x000700000002341f-106.dat family_berbew behavioral2/files/0x0007000000023420-110.dat family_berbew behavioral2/files/0x0007000000023421-116.dat family_berbew behavioral2/files/0x0007000000023422-123.dat family_berbew behavioral2/files/0x0007000000023423-129.dat family_berbew behavioral2/files/0x0007000000023424-133.dat family_berbew behavioral2/files/0x0007000000023425-140.dat family_berbew behavioral2/files/0x0007000000023426-144.dat family_berbew behavioral2/files/0x0007000000023427-149.dat family_berbew behavioral2/files/0x0007000000023428-154.dat family_berbew behavioral2/files/0x000700000001d9e8-160.dat family_berbew behavioral2/files/0x0007000000023429-166.dat family_berbew behavioral2/files/0x000700000002342a-171.dat family_berbew behavioral2/files/0x000700000002342b-176.dat family_berbew behavioral2/files/0x000a000000023386-183.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1140 5ffxxxx.exe 1072 hntnnn.exe 3108 pdjdv.exe 5056 xxlllrx.exe 2000 bbbhtt.exe 820 bntnnn.exe 2004 dvvpp.exe 916 llrrrrl.exe 3644 tnnhhh.exe 3456 rlrrllr.exe 2400 jpjjv.exe 4408 frrllff.exe 3212 jdvdp.exe 4876 1lrlflf.exe 2320 dvdvp.exe 4160 fxllrlr.exe 2740 7xlfxxr.exe 3596 nbbhbt.exe 1640 xlrfxrl.exe 3880 7nhtnh.exe 4704 5vjvv.exe 4612 fxlxlrf.exe 1536 hthbtn.exe 1168 3ppjd.exe 5116 7hhthh.exe 3192 jvvjd.exe 4684 fflrxxl.exe 4980 7bhhhb.exe 3196 nhhtnh.exe 4836 rrrllfx.exe 3684 9jdvp.exe 4040 3hhbnt.exe 4020 dpdpj.exe 4332 xxlxlfr.exe 1556 7bnnbt.exe 1260 vdjvv.exe 2392 rrxxxrr.exe 2184 hntnhb.exe 4400 thbtnn.exe 888 dvvpd.exe 4800 rfrlxfx.exe 2540 bhhbth.exe 1936 pjvpd.exe 3688 1rrfxfr.exe 2004 flxxrxl.exe 4620 9bhbnn.exe 2284 7jdjd.exe 3080 htnbth.exe 2224 vpjvj.exe 1644 jvvpj.exe 2652 bbbnhb.exe 4292 7btnbb.exe 3844 ddppd.exe 3616 lfrlfxr.exe 4580 hnnbtn.exe 788 nthtnt.exe 4820 pdppp.exe 764 9rxfrlx.exe 2740 hhbnbb.exe 4644 pddpv.exe 3288 rxfrllf.exe 3768 nhbbnn.exe 3520 pjjjd.exe 616 dvvpj.exe -
resource yara_rule behavioral2/memory/2156-5-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3108-19-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/5056-25-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2000-30-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1072-14-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1140-12-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/820-38-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2000-37-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/916-54-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3456-65-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2400-71-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4408-77-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4876-89-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4160-95-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2740-105-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3596-111-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1640-113-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1640-117-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3880-122-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4704-126-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1536-137-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/5116-150-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4684-158-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4980-163-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4836-177-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3684-182-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4040-188-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4332-195-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4400-209-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/888-215-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1936-225-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3688-229-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2284-236-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2284-239-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1644-246-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2652-250-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4292-257-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4580-264-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/788-268-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4820-276-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/764-277-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2740-283-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4644-284-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3288-288-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3520-298-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4612-304-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4612-309-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3052-316-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1256-323-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1256-327-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2676-331-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4376-336-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1864-335-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3416-346-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3416-350-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2840-384-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1592-385-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3540-389-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/3020-396-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2224-406-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1388-410-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/2320-423-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/5108-436-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1704-449-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1140 2156 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 82 PID 2156 wrote to memory of 1140 2156 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 82 PID 2156 wrote to memory of 1140 2156 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 82 PID 1140 wrote to memory of 1072 1140 5ffxxxx.exe 83 PID 1140 wrote to memory of 1072 1140 5ffxxxx.exe 83 PID 1140 wrote to memory of 1072 1140 5ffxxxx.exe 83 PID 1072 wrote to memory of 3108 1072 hntnnn.exe 84 PID 1072 wrote to memory of 3108 1072 hntnnn.exe 84 PID 1072 wrote to memory of 3108 1072 hntnnn.exe 84 PID 3108 wrote to memory of 5056 3108 pdjdv.exe 85 PID 3108 wrote to memory of 5056 3108 pdjdv.exe 85 PID 3108 wrote to memory of 5056 3108 pdjdv.exe 85 PID 5056 wrote to memory of 2000 5056 xxlllrx.exe 86 PID 5056 wrote to memory of 2000 5056 xxlllrx.exe 86 PID 5056 wrote to memory of 2000 5056 xxlllrx.exe 86 PID 2000 wrote to memory of 820 2000 bbbhtt.exe 88 PID 2000 wrote to memory of 820 2000 bbbhtt.exe 88 PID 2000 wrote to memory of 820 2000 bbbhtt.exe 88 PID 820 wrote to memory of 2004 820 bntnnn.exe 89 PID 820 wrote to memory of 2004 820 bntnnn.exe 89 PID 820 wrote to memory of 2004 820 bntnnn.exe 89 PID 2004 wrote to memory of 916 2004 dvvpp.exe 90 PID 2004 wrote to memory of 916 2004 dvvpp.exe 90 PID 2004 wrote to memory of 916 2004 dvvpp.exe 90 PID 916 wrote to memory of 3644 916 llrrrrl.exe 92 PID 916 wrote to memory of 3644 916 llrrrrl.exe 92 PID 916 wrote to memory of 3644 916 llrrrrl.exe 92 PID 3644 wrote to memory of 3456 3644 tnnhhh.exe 94 PID 3644 wrote to memory of 3456 3644 tnnhhh.exe 94 PID 3644 wrote to memory of 3456 3644 tnnhhh.exe 94 PID 3456 wrote to memory of 2400 3456 rlrrllr.exe 95 PID 3456 wrote to memory of 2400 3456 rlrrllr.exe 95 PID 3456 wrote to memory of 2400 3456 rlrrllr.exe 95 PID 2400 wrote to memory of 4408 2400 jpjjv.exe 96 PID 2400 wrote to memory of 4408 2400 jpjjv.exe 96 PID 2400 wrote to memory of 4408 2400 jpjjv.exe 96 PID 4408 wrote to memory of 3212 4408 frrllff.exe 97 PID 4408 wrote to memory of 3212 4408 frrllff.exe 97 PID 4408 wrote to memory of 3212 4408 frrllff.exe 97 PID 3212 wrote to memory of 4876 3212 jdvdp.exe 99 PID 3212 wrote to memory of 4876 3212 jdvdp.exe 99 PID 3212 wrote to memory of 4876 3212 jdvdp.exe 99 PID 4876 wrote to memory of 2320 4876 1lrlflf.exe 100 PID 4876 wrote to memory of 2320 4876 1lrlflf.exe 100 PID 4876 wrote to memory of 2320 4876 1lrlflf.exe 100 PID 2320 wrote to memory of 4160 2320 dvdvp.exe 101 PID 2320 wrote to memory of 4160 2320 dvdvp.exe 101 PID 2320 wrote to memory of 4160 2320 dvdvp.exe 101 PID 4160 wrote to memory of 2740 4160 fxllrlr.exe 102 PID 4160 wrote to memory of 2740 4160 fxllrlr.exe 102 PID 4160 wrote to memory of 2740 4160 fxllrlr.exe 102 PID 2740 wrote to memory of 3596 2740 7xlfxxr.exe 103 PID 2740 wrote to memory of 3596 2740 7xlfxxr.exe 103 PID 2740 wrote to memory of 3596 2740 7xlfxxr.exe 103 PID 3596 wrote to memory of 1640 3596 nbbhbt.exe 104 PID 3596 wrote to memory of 1640 3596 nbbhbt.exe 104 PID 3596 wrote to memory of 1640 3596 nbbhbt.exe 104 PID 1640 wrote to memory of 3880 1640 xlrfxrl.exe 105 PID 1640 wrote to memory of 3880 1640 xlrfxrl.exe 105 PID 1640 wrote to memory of 3880 1640 xlrfxrl.exe 105 PID 3880 wrote to memory of 4704 3880 7nhtnh.exe 106 PID 3880 wrote to memory of 4704 3880 7nhtnh.exe 106 PID 3880 wrote to memory of 4704 3880 7nhtnh.exe 106 PID 4704 wrote to memory of 4612 4704 5vjvv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\5ffxxxx.exec:\5ffxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\hntnnn.exec:\hntnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\pdjdv.exec:\pdjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\xxlllrx.exec:\xxlllrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\bbbhtt.exec:\bbbhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\bntnnn.exec:\bntnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\dvvpp.exec:\dvvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\llrrrrl.exec:\llrrrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\tnnhhh.exec:\tnnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\rlrrllr.exec:\rlrrllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\jpjjv.exec:\jpjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\frrllff.exec:\frrllff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\jdvdp.exec:\jdvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\1lrlflf.exec:\1lrlflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\dvdvp.exec:\dvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\fxllrlr.exec:\fxllrlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\7xlfxxr.exec:\7xlfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nbbhbt.exec:\nbbhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\7nhtnh.exec:\7nhtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\5vjvv.exec:\5vjvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\fxlxlrf.exec:\fxlxlrf.exe23⤵
- Executes dropped EXE
PID:4612 -
\??\c:\hthbtn.exec:\hthbtn.exe24⤵
- Executes dropped EXE
PID:1536 -
\??\c:\3ppjd.exec:\3ppjd.exe25⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7hhthh.exec:\7hhthh.exe26⤵
- Executes dropped EXE
PID:5116 -
\??\c:\jvvjd.exec:\jvvjd.exe27⤵
- Executes dropped EXE
PID:3192 -
\??\c:\fflrxxl.exec:\fflrxxl.exe28⤵
- Executes dropped EXE
PID:4684 -
\??\c:\7bhhhb.exec:\7bhhhb.exe29⤵
- Executes dropped EXE
PID:4980 -
\??\c:\nhhtnh.exec:\nhhtnh.exe30⤵
- Executes dropped EXE
PID:3196 -
\??\c:\rrrllfx.exec:\rrrllfx.exe31⤵
- Executes dropped EXE
PID:4836 -
\??\c:\9jdvp.exec:\9jdvp.exe32⤵
- Executes dropped EXE
PID:3684 -
\??\c:\3hhbnt.exec:\3hhbnt.exe33⤵
- Executes dropped EXE
PID:4040 -
\??\c:\dpdpj.exec:\dpdpj.exe34⤵
- Executes dropped EXE
PID:4020 -
\??\c:\xxlxlfr.exec:\xxlxlfr.exe35⤵
- Executes dropped EXE
PID:4332 -
\??\c:\7bnnbt.exec:\7bnnbt.exe36⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vdjvv.exec:\vdjvv.exe37⤵
- Executes dropped EXE
PID:1260 -
\??\c:\rrxxxrr.exec:\rrxxxrr.exe38⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hntnhb.exec:\hntnhb.exe39⤵
- Executes dropped EXE
PID:2184 -
\??\c:\thbtnn.exec:\thbtnn.exe40⤵
- Executes dropped EXE
PID:4400 -
\??\c:\dvvpd.exec:\dvvpd.exe41⤵
- Executes dropped EXE
PID:888 -
\??\c:\rfrlxfx.exec:\rfrlxfx.exe42⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bhhbth.exec:\bhhbth.exe43⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pjvpd.exec:\pjvpd.exe44⤵
- Executes dropped EXE
PID:1936 -
\??\c:\1rrfxfr.exec:\1rrfxfr.exe45⤵
- Executes dropped EXE
PID:3688 -
\??\c:\flxxrxl.exec:\flxxrxl.exe46⤵
- Executes dropped EXE
PID:2004 -
\??\c:\9bhbnn.exec:\9bhbnn.exe47⤵
- Executes dropped EXE
PID:4620 -
\??\c:\7jdjd.exec:\7jdjd.exe48⤵
- Executes dropped EXE
PID:2284 -
\??\c:\htnbth.exec:\htnbth.exe49⤵
- Executes dropped EXE
PID:3080 -
\??\c:\vpjvj.exec:\vpjvj.exe50⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jvvpj.exec:\jvvpj.exe51⤵
- Executes dropped EXE
PID:1644 -
\??\c:\bbbnhb.exec:\bbbnhb.exe52⤵
- Executes dropped EXE
PID:2652 -
\??\c:\7btnbb.exec:\7btnbb.exe53⤵
- Executes dropped EXE
PID:4292 -
\??\c:\ddppd.exec:\ddppd.exe54⤵
- Executes dropped EXE
PID:3844 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe55⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hnnbtn.exec:\hnnbtn.exe56⤵
- Executes dropped EXE
PID:4580 -
\??\c:\nthtnt.exec:\nthtnt.exe57⤵
- Executes dropped EXE
PID:788 -
\??\c:\pdppp.exec:\pdppp.exe58⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9rxfrlx.exec:\9rxfrlx.exe59⤵
- Executes dropped EXE
PID:764 -
\??\c:\hhbnbb.exec:\hhbnbb.exe60⤵
- Executes dropped EXE
PID:2740 -
\??\c:\pddpv.exec:\pddpv.exe61⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rxfrllf.exec:\rxfrllf.exe62⤵
- Executes dropped EXE
PID:3288 -
\??\c:\nhbbnn.exec:\nhbbnn.exe63⤵
- Executes dropped EXE
PID:3768 -
\??\c:\pjjjd.exec:\pjjjd.exe64⤵
- Executes dropped EXE
PID:3520 -
\??\c:\dvvpj.exec:\dvvpj.exe65⤵
- Executes dropped EXE
PID:616 -
\??\c:\lllffxl.exec:\lllffxl.exe66⤵PID:1900
-
\??\c:\nhbtnb.exec:\nhbtnb.exe67⤵PID:4612
-
\??\c:\jppdv.exec:\jppdv.exe68⤵PID:4392
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe69⤵PID:2940
-
\??\c:\llrllxr.exec:\llrllxr.exe70⤵PID:3052
-
\??\c:\9hnbtb.exec:\9hnbtb.exe71⤵PID:2440
-
\??\c:\3jjvj.exec:\3jjvj.exe72⤵PID:1256
-
\??\c:\rffxxlx.exec:\rffxxlx.exe73⤵PID:2676
-
\??\c:\5hnbnn.exec:\5hnbnn.exe74⤵PID:4376
-
\??\c:\7dvpd.exec:\7dvpd.exe75⤵PID:1864
-
\??\c:\xflxllf.exec:\xflxllf.exe76⤵PID:2296
-
\??\c:\thnhhn.exec:\thnhhn.exe77⤵PID:4468
-
\??\c:\jvvjv.exec:\jvvjv.exe78⤵PID:3416
-
\??\c:\5djvp.exec:\5djvp.exe79⤵PID:4328
-
\??\c:\rrrlxlf.exec:\rrrlxlf.exe80⤵PID:3504
-
\??\c:\3xlfrlf.exec:\3xlfrlf.exe81⤵PID:1304
-
\??\c:\lxrlfxl.exec:\lxrlfxl.exe82⤵PID:3636
-
\??\c:\bnnhtt.exec:\bnnhtt.exe83⤵PID:2140
-
\??\c:\pjvjp.exec:\pjvjp.exe84⤵PID:1880
-
\??\c:\fxlrfrl.exec:\fxlrfrl.exe85⤵PID:4400
-
\??\c:\9hbthb.exec:\9hbthb.exe86⤵PID:4076
-
\??\c:\ppvjp.exec:\ppvjp.exe87⤵PID:4800
-
\??\c:\xffxxrr.exec:\xffxxrr.exe88⤵PID:2540
-
\??\c:\tbbhtn.exec:\tbbhtn.exe89⤵PID:2840
-
\??\c:\pjdpj.exec:\pjdpj.exe90⤵PID:1592
-
\??\c:\3pvjd.exec:\3pvjd.exe91⤵PID:3540
-
\??\c:\lxxxlrl.exec:\lxxxlrl.exe92⤵PID:4620
-
\??\c:\3hbnbb.exec:\3hbnbb.exe93⤵PID:3020
-
\??\c:\jppjd.exec:\jppjd.exe94⤵PID:1920
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe95⤵PID:2224
-
\??\c:\nntntn.exec:\nntntn.exe96⤵PID:1388
-
\??\c:\bnthbb.exec:\bnthbb.exe97⤵PID:2652
-
\??\c:\jjjvj.exec:\jjjvj.exe98⤵PID:3612
-
\??\c:\fxfrrll.exec:\fxfrrll.exe99⤵PID:3924
-
\??\c:\btbhbh.exec:\btbhbh.exe100⤵PID:3616
-
\??\c:\jpvvv.exec:\jpvvv.exe101⤵PID:2320
-
\??\c:\lxllffx.exec:\lxllffx.exe102⤵PID:4160
-
\??\c:\lllxfrl.exec:\lllxfrl.exe103⤵PID:2848
-
\??\c:\nbnhhh.exec:\nbnhhh.exe104⤵PID:5108
-
\??\c:\pjddv.exec:\pjddv.exe105⤵PID:4856
-
\??\c:\vdjvj.exec:\vdjvj.exe106⤵PID:912
-
\??\c:\1flxfxf.exec:\1flxfxf.exe107⤵PID:3508
-
\??\c:\bntnbt.exec:\bntnbt.exe108⤵PID:3804
-
\??\c:\jdpjd.exec:\jdpjd.exe109⤵PID:1704
-
\??\c:\rffrfrf.exec:\rffrfrf.exe110⤵PID:1900
-
\??\c:\1thbnh.exec:\1thbnh.exe111⤵PID:4612
-
\??\c:\vjjdv.exec:\vjjdv.exe112⤵PID:2292
-
\??\c:\jvpdv.exec:\jvpdv.exe113⤵PID:1508
-
\??\c:\lflxrxr.exec:\lflxrxr.exe114⤵PID:4436
-
\??\c:\hbhbbn.exec:\hbhbbn.exe115⤵PID:2376
-
\??\c:\dppdp.exec:\dppdp.exe116⤵PID:4684
-
\??\c:\xlfxxrl.exec:\xlfxxrl.exe117⤵PID:952
-
\??\c:\lrxrrlf.exec:\lrxrrlf.exe118⤵PID:3196
-
\??\c:\nbtbtt.exec:\nbtbtt.exe119⤵PID:224
-
\??\c:\vvvpd.exec:\vvvpd.exe120⤵PID:2608
-
\??\c:\rlxrlfr.exec:\rlxrlfr.exe121⤵PID:208
-
\??\c:\bntttt.exec:\bntttt.exe122⤵PID:4040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-