Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:45
Behavioral task
behavioral1
Sample
162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe
-
Size
294KB
-
MD5
162fb1c1325f43cc67a254ab8417f6c0
-
SHA1
e5b8f2d55cb7a67fdb9f456bc49fd92d3092ab48
-
SHA256
adf0587abfc3064356785f163abcd6f780a64b62f6104e0a72768edeebcaeb36
-
SHA512
99d5be7c47b146e65eb255d8498b3dfca64305ee8451db9fa5d29552c5b194a9be6503dc5a7985bf0ef701d30a862d68a79903114aca44ebbca35481cb190f71
-
SSDEEP
6144:ccm4FmowdHoSQkuObHq9ltAszBd+za/p1slTjZXvEQo9dftOW:K4wFHoSQkuUHk1zBR/pMT9XvEhdfL
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3936-8-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1008-5-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3888-18-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/740-24-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4172-26-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4100-35-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4564-42-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3808-43-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2908-50-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2264-59-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4756-65-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3524-71-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2980-76-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3104-78-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/964-87-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1576-91-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/544-104-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1792-107-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3224-131-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3452-135-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4640-144-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4800-146-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1696-157-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2708-166-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/392-179-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1796-183-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5016-189-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4628-196-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2360-198-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4296-205-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4984-211-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4980-224-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3540-228-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4660-232-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2724-254-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4756-261-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5060-265-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1552-272-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3892-294-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/544-295-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1792-300-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3644-309-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1864-323-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4952-333-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2492-340-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3472-356-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4368-373-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1856-386-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4660-393-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2304-403-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4448-444-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4932-475-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1796-493-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2176-512-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2276-548-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1452-634-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1112-682-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3324-694-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1028-856-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4884-1018-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1556-1052-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4604-1265-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2276-1376-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2276-1498-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c000000023399-6.dat family_berbew behavioral2/files/0x0009000000023424-11.dat family_berbew behavioral2/files/0x0007000000023429-13.dat family_berbew behavioral2/files/0x000700000002342a-21.dat family_berbew behavioral2/files/0x000700000002342b-28.dat family_berbew behavioral2/files/0x000700000002342c-33.dat family_berbew behavioral2/files/0x000700000002342d-41.dat family_berbew behavioral2/files/0x000700000002342e-46.dat family_berbew behavioral2/files/0x000700000002342f-54.dat family_berbew behavioral2/files/0x0007000000023430-58.dat family_berbew behavioral2/files/0x0007000000023431-64.dat family_berbew behavioral2/files/0x0007000000023432-69.dat family_berbew behavioral2/files/0x0007000000023433-75.dat family_berbew behavioral2/files/0x0007000000023434-81.dat family_berbew behavioral2/files/0x0008000000023425-88.dat family_berbew behavioral2/files/0x0007000000023435-93.dat family_berbew behavioral2/files/0x0007000000023436-98.dat family_berbew behavioral2/files/0x0007000000023437-105.dat family_berbew behavioral2/files/0x0007000000023438-110.dat family_berbew behavioral2/files/0x0007000000023439-116.dat family_berbew behavioral2/files/0x000700000002343a-121.dat family_berbew behavioral2/files/0x000700000002343b-126.dat family_berbew behavioral2/files/0x000700000002343d-132.dat family_berbew behavioral2/files/0x000700000002343e-137.dat family_berbew behavioral2/files/0x000700000002343f-143.dat family_berbew behavioral2/files/0x0007000000023440-150.dat family_berbew behavioral2/files/0x0007000000023441-155.dat family_berbew behavioral2/files/0x0007000000023442-162.dat family_berbew behavioral2/files/0x0007000000023443-167.dat family_berbew behavioral2/files/0x0007000000023444-171.dat family_berbew behavioral2/files/0x0007000000023445-176.dat family_berbew behavioral2/files/0x0007000000023446-184.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3936 xxflffr.exe 3888 thnbbh.exe 740 btbbtn.exe 4172 ppjjd.exe 4100 rffllrx.exe 4564 lxfrrxr.exe 3808 nbbttt.exe 2908 rxfxxff.exe 2264 hntnhn.exe 4756 rfxlrxf.exe 3524 fxrlrlr.exe 2980 xrxrllf.exe 3104 pvvpv.exe 964 rxfxrll.exe 1576 1vddd.exe 4128 rlrlffr.exe 544 pdpjj.exe 1792 fffxxrr.exe 540 nttbhh.exe 5116 xxrlfff.exe 4228 tthbbt.exe 3224 vjpjd.exe 3452 rlfxrlf.exe 4640 jpppj.exe 4800 1frrlfx.exe 1696 ntnnbh.exe 4216 llxxrlf.exe 2708 hnttnb.exe 1852 7xxrrrl.exe 392 vddvp.exe 1796 vjdvv.exe 736 9tthbh.exe 5016 dpvvv.exe 4628 rlxrffr.exe 2360 hhnhnh.exe 652 7nbtnh.exe 4296 pjppv.exe 4984 llrfrlx.exe 3936 tntnhh.exe 1452 dvddv.exe 3888 rrllrrx.exe 4980 xxffflf.exe 3540 bnbbtt.exe 4660 7pjvp.exe 1920 rrrlffx.exe 4488 nhthnt.exe 4888 dvdpj.exe 2304 lfrlflf.exe 400 fxfxfll.exe 1368 btbttn.exe 2724 9dvpd.exe 2264 llfxxrx.exe 4756 btntbb.exe 5060 1dvpd.exe 4772 xlrxrrl.exe 1552 hbbtnn.exe 2536 nhbttt.exe 4392 5vvpp.exe 1840 lxffxxr.exe 1556 tnhbtt.exe 2184 pjddv.exe 1576 jdjjd.exe 3892 lffrrff.exe 544 nbbbth.exe -
resource yara_rule behavioral2/memory/1008-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000c000000023399-6.dat upx behavioral2/memory/3936-8-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0009000000023424-11.dat upx behavioral2/memory/1008-5-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023429-13.dat upx behavioral2/memory/3888-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002342a-21.dat upx behavioral2/memory/740-24-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4172-26-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002342b-28.dat upx behavioral2/files/0x000700000002342c-33.dat upx behavioral2/memory/4100-35-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002342d-41.dat upx behavioral2/memory/4564-42-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3808-43-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002342e-46.dat upx behavioral2/memory/2908-50-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002342f-54.dat upx behavioral2/memory/2264-55-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023430-58.dat upx behavioral2/memory/2264-59-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4756-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023431-64.dat upx behavioral2/files/0x0007000000023432-69.dat upx behavioral2/memory/3524-71-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2980-76-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023433-75.dat upx behavioral2/memory/3104-78-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023434-81.dat upx behavioral2/files/0x0008000000023425-88.dat upx behavioral2/memory/964-87-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1576-91-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023435-93.dat upx behavioral2/files/0x0007000000023436-98.dat upx behavioral2/memory/544-104-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023437-105.dat upx behavioral2/memory/1792-107-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023438-110.dat upx behavioral2/files/0x0007000000023439-116.dat upx behavioral2/files/0x000700000002343a-121.dat upx behavioral2/files/0x000700000002343b-126.dat upx behavioral2/memory/3224-131-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002343d-132.dat upx behavioral2/memory/3452-135-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002343e-137.dat upx behavioral2/memory/4640-144-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000700000002343f-143.dat upx behavioral2/memory/4800-146-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023440-150.dat upx behavioral2/memory/1696-157-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023441-155.dat upx behavioral2/files/0x0007000000023442-162.dat upx behavioral2/memory/2708-166-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023443-167.dat upx behavioral2/files/0x0007000000023444-171.dat upx behavioral2/files/0x0007000000023445-176.dat upx behavioral2/memory/392-179-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1796-183-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0007000000023446-184.dat upx behavioral2/memory/5016-189-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4628-196-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2360-198-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4296-205-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1008 wrote to memory of 3936 1008 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 83 PID 1008 wrote to memory of 3936 1008 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 83 PID 1008 wrote to memory of 3936 1008 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 83 PID 3936 wrote to memory of 3888 3936 xxflffr.exe 84 PID 3936 wrote to memory of 3888 3936 xxflffr.exe 84 PID 3936 wrote to memory of 3888 3936 xxflffr.exe 84 PID 3888 wrote to memory of 740 3888 thnbbh.exe 85 PID 3888 wrote to memory of 740 3888 thnbbh.exe 85 PID 3888 wrote to memory of 740 3888 thnbbh.exe 85 PID 740 wrote to memory of 4172 740 btbbtn.exe 86 PID 740 wrote to memory of 4172 740 btbbtn.exe 86 PID 740 wrote to memory of 4172 740 btbbtn.exe 86 PID 4172 wrote to memory of 4100 4172 ppjjd.exe 87 PID 4172 wrote to memory of 4100 4172 ppjjd.exe 87 PID 4172 wrote to memory of 4100 4172 ppjjd.exe 87 PID 4100 wrote to memory of 4564 4100 rffllrx.exe 88 PID 4100 wrote to memory of 4564 4100 rffllrx.exe 88 PID 4100 wrote to memory of 4564 4100 rffllrx.exe 88 PID 4564 wrote to memory of 3808 4564 lxfrrxr.exe 89 PID 4564 wrote to memory of 3808 4564 lxfrrxr.exe 89 PID 4564 wrote to memory of 3808 4564 lxfrrxr.exe 89 PID 3808 wrote to memory of 2908 3808 nbbttt.exe 91 PID 3808 wrote to memory of 2908 3808 nbbttt.exe 91 PID 3808 wrote to memory of 2908 3808 nbbttt.exe 91 PID 2908 wrote to memory of 2264 2908 rxfxxff.exe 92 PID 2908 wrote to memory of 2264 2908 rxfxxff.exe 92 PID 2908 wrote to memory of 2264 2908 rxfxxff.exe 92 PID 2264 wrote to memory of 4756 2264 hntnhn.exe 93 PID 2264 wrote to memory of 4756 2264 hntnhn.exe 93 PID 2264 wrote to memory of 4756 2264 hntnhn.exe 93 PID 4756 wrote to memory of 3524 4756 rfxlrxf.exe 95 PID 4756 wrote to memory of 3524 4756 rfxlrxf.exe 95 PID 4756 wrote to memory of 3524 4756 rfxlrxf.exe 95 PID 3524 wrote to memory of 2980 3524 fxrlrlr.exe 96 PID 3524 wrote to memory of 2980 3524 fxrlrlr.exe 96 PID 3524 wrote to memory of 2980 3524 fxrlrlr.exe 96 PID 2980 wrote to memory of 3104 2980 xrxrllf.exe 97 PID 2980 wrote to memory of 3104 2980 xrxrllf.exe 97 PID 2980 wrote to memory of 3104 2980 xrxrllf.exe 97 PID 3104 wrote to memory of 964 3104 pvvpv.exe 98 PID 3104 wrote to memory of 964 3104 pvvpv.exe 98 PID 3104 wrote to memory of 964 3104 pvvpv.exe 98 PID 964 wrote to memory of 1576 964 rxfxrll.exe 100 PID 964 wrote to memory of 1576 964 rxfxrll.exe 100 PID 964 wrote to memory of 1576 964 rxfxrll.exe 100 PID 1576 wrote to memory of 4128 1576 1vddd.exe 101 PID 1576 wrote to memory of 4128 1576 1vddd.exe 101 PID 1576 wrote to memory of 4128 1576 1vddd.exe 101 PID 4128 wrote to memory of 544 4128 rlrlffr.exe 102 PID 4128 wrote to memory of 544 4128 rlrlffr.exe 102 PID 4128 wrote to memory of 544 4128 rlrlffr.exe 102 PID 544 wrote to memory of 1792 544 pdpjj.exe 103 PID 544 wrote to memory of 1792 544 pdpjj.exe 103 PID 544 wrote to memory of 1792 544 pdpjj.exe 103 PID 1792 wrote to memory of 540 1792 fffxxrr.exe 104 PID 1792 wrote to memory of 540 1792 fffxxrr.exe 104 PID 1792 wrote to memory of 540 1792 fffxxrr.exe 104 PID 540 wrote to memory of 5116 540 nttbhh.exe 105 PID 540 wrote to memory of 5116 540 nttbhh.exe 105 PID 540 wrote to memory of 5116 540 nttbhh.exe 105 PID 5116 wrote to memory of 4228 5116 xxrlfff.exe 106 PID 5116 wrote to memory of 4228 5116 xxrlfff.exe 106 PID 5116 wrote to memory of 4228 5116 xxrlfff.exe 106 PID 4228 wrote to memory of 3224 4228 tthbbt.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\xxflffr.exec:\xxflffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\thnbbh.exec:\thnbbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\btbbtn.exec:\btbbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\ppjjd.exec:\ppjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\rffllrx.exec:\rffllrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\lxfrrxr.exec:\lxfrrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\nbbttt.exec:\nbbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\rxfxxff.exec:\rxfxxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\hntnhn.exec:\hntnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\rfxlrxf.exec:\rfxlrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\fxrlrlr.exec:\fxrlrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\xrxrllf.exec:\xrxrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\pvvpv.exec:\pvvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\rxfxrll.exec:\rxfxrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\1vddd.exec:\1vddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\rlrlffr.exec:\rlrlffr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\pdpjj.exec:\pdpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\fffxxrr.exec:\fffxxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\nttbhh.exec:\nttbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\xxrlfff.exec:\xxrlfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\tthbbt.exec:\tthbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\vjpjd.exec:\vjpjd.exe23⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe24⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jpppj.exec:\jpppj.exe25⤵
- Executes dropped EXE
PID:4640 -
\??\c:\1frrlfx.exec:\1frrlfx.exe26⤵
- Executes dropped EXE
PID:4800 -
\??\c:\ntnnbh.exec:\ntnnbh.exe27⤵
- Executes dropped EXE
PID:1696 -
\??\c:\llxxrlf.exec:\llxxrlf.exe28⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hnttnb.exec:\hnttnb.exe29⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7xxrrrl.exec:\7xxrrrl.exe30⤵
- Executes dropped EXE
PID:1852 -
\??\c:\vddvp.exec:\vddvp.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\vjdvv.exec:\vjdvv.exe32⤵
- Executes dropped EXE
PID:1796 -
\??\c:\9tthbh.exec:\9tthbh.exe33⤵
- Executes dropped EXE
PID:736 -
\??\c:\dpvvv.exec:\dpvvv.exe34⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rlxrffr.exec:\rlxrffr.exe35⤵
- Executes dropped EXE
PID:4628 -
\??\c:\hhnhnh.exec:\hhnhnh.exe36⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7nbtnh.exec:\7nbtnh.exe37⤵
- Executes dropped EXE
PID:652 -
\??\c:\pjppv.exec:\pjppv.exe38⤵
- Executes dropped EXE
PID:4296 -
\??\c:\llrfrlx.exec:\llrfrlx.exe39⤵
- Executes dropped EXE
PID:4984 -
\??\c:\tntnhh.exec:\tntnhh.exe40⤵
- Executes dropped EXE
PID:3936 -
\??\c:\dvddv.exec:\dvddv.exe41⤵
- Executes dropped EXE
PID:1452 -
\??\c:\rrllrrx.exec:\rrllrrx.exe42⤵
- Executes dropped EXE
PID:3888 -
\??\c:\xxffflf.exec:\xxffflf.exe43⤵
- Executes dropped EXE
PID:4980 -
\??\c:\bnbbtt.exec:\bnbbtt.exe44⤵
- Executes dropped EXE
PID:3540 -
\??\c:\7pjvp.exec:\7pjvp.exe45⤵
- Executes dropped EXE
PID:4660 -
\??\c:\rrrlffx.exec:\rrrlffx.exe46⤵
- Executes dropped EXE
PID:1920 -
\??\c:\nhthnt.exec:\nhthnt.exe47⤵
- Executes dropped EXE
PID:4488 -
\??\c:\dvdpj.exec:\dvdpj.exe48⤵
- Executes dropped EXE
PID:4888 -
\??\c:\lfrlflf.exec:\lfrlflf.exe49⤵
- Executes dropped EXE
PID:2304 -
\??\c:\fxfxfll.exec:\fxfxfll.exe50⤵
- Executes dropped EXE
PID:400 -
\??\c:\btbttn.exec:\btbttn.exe51⤵
- Executes dropped EXE
PID:1368 -
\??\c:\9dvpd.exec:\9dvpd.exe52⤵
- Executes dropped EXE
PID:2724 -
\??\c:\llfxxrx.exec:\llfxxrx.exe53⤵
- Executes dropped EXE
PID:2264 -
\??\c:\btntbb.exec:\btntbb.exe54⤵
- Executes dropped EXE
PID:4756 -
\??\c:\1dvpd.exec:\1dvpd.exe55⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xlrxrrl.exec:\xlrxrrl.exe56⤵
- Executes dropped EXE
PID:4772 -
\??\c:\hbbtnn.exec:\hbbtnn.exe57⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nhbttt.exec:\nhbttt.exe58⤵
- Executes dropped EXE
PID:2536 -
\??\c:\5vvpp.exec:\5vvpp.exe59⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lxffxxr.exec:\lxffxxr.exe60⤵
- Executes dropped EXE
PID:1840 -
\??\c:\tnhbtt.exec:\tnhbtt.exe61⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pjddv.exec:\pjddv.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\jdjjd.exec:\jdjjd.exe63⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lffrrff.exec:\lffrrff.exe64⤵
- Executes dropped EXE
PID:3892 -
\??\c:\nbbbth.exec:\nbbbth.exe65⤵
- Executes dropped EXE
PID:544 -
\??\c:\vpvvv.exec:\vpvvv.exe66⤵PID:1792
-
\??\c:\jdvpp.exec:\jdvpp.exe67⤵PID:2584
-
\??\c:\lflfxrf.exec:\lflfxrf.exe68⤵PID:540
-
\??\c:\bntbtt.exec:\bntbtt.exe69⤵PID:3644
-
\??\c:\ntnntb.exec:\ntnntb.exe70⤵PID:2008
-
\??\c:\vpvdv.exec:\vpvdv.exe71⤵PID:1372
-
\??\c:\rrlfrxr.exec:\rrlfrxr.exe72⤵PID:1864
-
\??\c:\tnnhtt.exec:\tnnhtt.exe73⤵PID:4060
-
\??\c:\btnnbb.exec:\btnnbb.exe74⤵PID:4640
-
\??\c:\5vvdd.exec:\5vvdd.exe75⤵PID:4952
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe76⤵PID:4316
-
\??\c:\7hhbtt.exec:\7hhbtt.exe77⤵PID:2492
-
\??\c:\pjpjj.exec:\pjpjj.exe78⤵PID:3448
-
\??\c:\jpddv.exec:\jpddv.exe79⤵PID:2956
-
\??\c:\rxrxrlr.exec:\rxrxrlr.exe80⤵PID:1816
-
\??\c:\xlxrllx.exec:\xlxrllx.exe81⤵PID:392
-
\??\c:\bnbtnb.exec:\bnbtnb.exe82⤵PID:3472
-
\??\c:\vvdjv.exec:\vvdjv.exe83⤵PID:3484
-
\??\c:\rlrlfff.exec:\rlrlfff.exe84⤵PID:1180
-
\??\c:\nhntnn.exec:\nhntnn.exe85⤵PID:636
-
\??\c:\jdvpp.exec:\jdvpp.exe86⤵PID:2024
-
\??\c:\rfxxrrr.exec:\rfxxrrr.exe87⤵PID:4368
-
\??\c:\tbtnhh.exec:\tbtnhh.exe88⤵PID:3012
-
\??\c:\vpjpj.exec:\vpjpj.exe89⤵PID:3008
-
\??\c:\llfrflr.exec:\llfrflr.exe90⤵PID:4408
-
\??\c:\thhbtt.exec:\thhbtt.exe91⤵PID:1856
-
\??\c:\7hbttt.exec:\7hbttt.exe92⤵PID:3040
-
\??\c:\jdjjv.exec:\jdjjv.exe93⤵PID:4660
-
\??\c:\frxxrff.exec:\frxxrff.exe94⤵PID:4388
-
\??\c:\thnbnb.exec:\thnbnb.exe95⤵PID:2920
-
\??\c:\5jjdv.exec:\5jjdv.exe96⤵PID:4888
-
\??\c:\pdjpj.exec:\pdjpj.exe97⤵PID:2304
-
\??\c:\lllfxrl.exec:\lllfxrl.exe98⤵PID:400
-
\??\c:\nhhbtb.exec:\nhhbtb.exe99⤵PID:1368
-
\??\c:\pjdpd.exec:\pjdpd.exe100⤵PID:3852
-
\??\c:\7vpjd.exec:\7vpjd.exe101⤵PID:3748
-
\??\c:\xlrfxxr.exec:\xlrfxxr.exe102⤵PID:2100
-
\??\c:\9nhbtt.exec:\9nhbtt.exe103⤵PID:3652
-
\??\c:\bhhbbn.exec:\bhhbbn.exe104⤵PID:2356
-
\??\c:\pjjdd.exec:\pjjdd.exe105⤵PID:696
-
\??\c:\1rlxffl.exec:\1rlxffl.exe106⤵PID:1660
-
\??\c:\ntnhbn.exec:\ntnhbn.exe107⤵PID:2632
-
\??\c:\hntbnt.exec:\hntbnt.exe108⤵PID:704
-
\??\c:\xllfxxx.exec:\xllfxxx.exe109⤵PID:1340
-
\??\c:\xffffff.exec:\xffffff.exe110⤵PID:4448
-
\??\c:\bbhhhh.exec:\bbhhhh.exe111⤵PID:1392
-
\??\c:\7jdjp.exec:\7jdjp.exe112⤵PID:880
-
\??\c:\7rlfxlf.exec:\7rlfxlf.exe113⤵PID:2452
-
\??\c:\rxfffxx.exec:\rxfffxx.exe114⤵PID:2164
-
\??\c:\hnhbbh.exec:\hnhbbh.exe115⤵PID:540
-
\??\c:\pjvpp.exec:\pjvpp.exe116⤵PID:2948
-
\??\c:\dpjvj.exec:\dpjvj.exe117⤵PID:1804
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe118⤵PID:3204
-
\??\c:\xrrlfxf.exec:\xrrlfxf.exe119⤵PID:3504
-
\??\c:\3bhnnn.exec:\3bhnnn.exe120⤵PID:4932
-
\??\c:\jpddv.exec:\jpddv.exe121⤵PID:3632
-
\??\c:\vdvvd.exec:\vdvvd.exe122⤵PID:3992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-