Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 22:02
Behavioral task
behavioral1
Sample
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe
-
Size
253KB
-
MD5
6a0c47316f2320eabc2caa9f7e3267c0
-
SHA1
f4e41b5093345a47e12385edab5e7bce23962fe7
-
SHA256
d6c0e575e45c5f90ea927797d314ef85d1be30e964d7307231e0ed1962fbcf76
-
SHA512
b0646f3c2746d8b65304f55325e7855f4c1d2193ad4085a72219d6e4f1cd222e182ad920615c32eeb36b021ad54065ad844bdaf0317e9c7c228800d9fc3268df
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLpcgDE4JBuItR8pTsgZ9WT4iaz+THka:ccm4FmowdHoSi9EIBftapTs4WZazeE1w
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3648-19-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3400-30-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1452-41-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1456-49-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4696-70-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4716-78-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4060-99-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/220-118-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1436-144-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1720-188-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/640-198-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2924-216-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1648-224-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1452-245-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4336-228-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4332-218-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4972-212-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2976-264-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1180-205-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3104-204-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1252-194-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2792-181-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5072-179-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2236-273-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1524-158-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4856-157-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2404-150-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1424-277-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4888-129-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4364-127-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1440-116-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4140-88-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4432-287-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2016-74-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3916-48-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2084-7-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/512-6-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2756-301-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4976-302-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/736-309-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4888-325-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2864-329-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/432-351-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2284-365-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3904-375-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3356-402-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2276-408-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2860-424-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4984-446-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1216-483-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3256-487-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4588-491-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4516-523-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1000-572-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1456-593-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1028-690-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2468-706-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3916-738-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1792-745-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3324-761-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4352-862-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3352-909-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1268-995-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/436-1334-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\dvpjj.exe family_berbew C:\1pdvj.exe family_berbew C:\frlfrlf.exe family_berbew \??\c:\frlxlfx.exe family_berbew C:\1ppjd.exe family_berbew C:\9frrffr.exe family_berbew \??\c:\hnnhbt.exe family_berbew \??\c:\lffxxxx.exe family_berbew \??\c:\1tthbt.exe family_berbew \??\c:\ntthbb.exe family_berbew C:\5jdvp.exe family_berbew \??\c:\rflfxxr.exe family_berbew C:\hnthtn.exe family_berbew \??\c:\djvjv.exe family_berbew C:\7xrfxxr.exe family_berbew \??\c:\thtbbt.exe family_berbew \??\c:\jvpjd.exe family_berbew \??\c:\flrlxlf.exe family_berbew \??\c:\3ntbbb.exe family_berbew \??\c:\xlxrffx.exe family_berbew \??\c:\ntnthn.exe family_berbew \??\c:\nbbbtb.exe family_berbew \??\c:\dppjd.exe family_berbew \??\c:\vpvpp.exe family_berbew \??\c:\nhttnh.exe family_berbew \??\c:\nnhhhh.exe family_berbew \??\c:\frfxlfr.exe family_berbew \??\c:\hbthnh.exe family_berbew \??\c:\lrrlffx.exe family_berbew \??\c:\ddjdd.exe family_berbew \??\c:\1lrxrrl.exe family_berbew \??\c:\dvvpj.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
dvpjj.exe1pdvj.exefrlfrlf.exefrlxlfx.exe1ppjd.exe9frrffr.exehnnhbt.exedvvpj.exelffxxxx.exe1tthbt.exentthbb.exe5jdvp.exerflfxxr.exehnthtn.exedjvjv.exe7xrfxxr.exethtbbt.exejvpjd.exeflrlxlf.exe1lrxrrl.exe3ntbbb.exeddjdd.exexlxrffx.exentnthn.exenbbbtb.exelrrlffx.exehbthnh.exedppjd.exevpvpp.exefrfxlfr.exenhttnh.exennhhhh.exevjdvp.exelrfffll.exe3hthnn.exepdvvp.exepddvj.exelrrllrr.exelllfxxr.exe1thbnn.exevjjjd.exelxxlxlx.exellrlrll.exehbbbtt.exe7btnhh.exedjjdv.exefxrlfxl.exexlrxlxf.exehtnhth.exehtbbtt.exedvjvd.exexlfxrlf.exelxxxlll.exehttnnn.exejjpjj.exevpjjd.exelllfrrl.exefxlfxfx.exe9bnhbb.exe5vvvp.exevppdp.exe9rlfrlf.exefrflxlx.exe3nbttt.exepid process 2084 dvpjj.exe 2276 1pdvj.exe 3648 frlfrlf.exe 3400 frlxlfx.exe 4456 1ppjd.exe 1452 9frrffr.exe 3916 hnnhbt.exe 1456 dvvpj.exe 1224 lffxxxx.exe 1792 1tthbt.exe 4696 ntthbb.exe 2016 5jdvp.exe 4716 rflfxxr.exe 2156 hnthtn.exe 4140 djvjv.exe 4060 7xrfxxr.exe 2728 thtbbt.exe 2372 jvpjd.exe 1440 flrlxlf.exe 220 1lrxrrl.exe 4888 3ntbbb.exe 4364 ddjdd.exe 4732 xlxrffx.exe 1436 ntnthn.exe 2404 nbbbtb.exe 4856 lrrlffx.exe 1524 hbthnh.exe 3372 dppjd.exe 2760 vpvpp.exe 5072 frfxlfr.exe 2792 nhttnh.exe 4008 nnhhhh.exe 1720 vjdvp.exe 1252 lrfffll.exe 640 3hthnn.exe 3104 pdvvp.exe 1180 pddvj.exe 4972 lrrllrr.exe 2924 lllfxxr.exe 4332 1thbnn.exe 1648 vjjjd.exe 4336 lxxlxlx.exe 3008 llrlrll.exe 3624 hbbbtt.exe 1612 7btnhh.exe 3580 djjdv.exe 3876 fxrlfxl.exe 1452 xlrxlxf.exe 3928 htnhth.exe 1120 htbbtt.exe 2780 dvjvd.exe 2020 xlfxrlf.exe 2604 lxxxlll.exe 2976 httnnn.exe 372 jjpjj.exe 2236 vpjjd.exe 2672 lllfrrl.exe 1424 fxlfxfx.exe 4468 9bnhbb.exe 4432 5vvvp.exe 3652 vppdp.exe 4016 9rlfrlf.exe 4492 frflxlx.exe 2756 3nbttt.exe -
Processes:
resource yara_rule behavioral2/memory/512-0-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\dvpjj.exe upx C:\1pdvj.exe upx C:\frlfrlf.exe upx behavioral2/memory/3400-24-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\frlxlfx.exe upx behavioral2/memory/3648-19-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\1ppjd.exe upx behavioral2/memory/3400-30-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9frrffr.exe upx behavioral2/memory/1452-36-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\hnnhbt.exe upx behavioral2/memory/1452-41-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1456-49-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lffxxxx.exe upx \??\c:\1tthbt.exe upx \??\c:\ntthbb.exe upx C:\5jdvp.exe upx behavioral2/memory/4696-70-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\rflfxxr.exe upx behavioral2/memory/4716-78-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hnthtn.exe upx \??\c:\djvjv.exe upx C:\7xrfxxr.exe upx behavioral2/memory/4060-94-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4060-99-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\thtbbt.exe upx \??\c:\jvpjd.exe upx \??\c:\flrlxlf.exe upx behavioral2/memory/220-118-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\3ntbbb.exe upx \??\c:\xlxrffx.exe upx \??\c:\ntnthn.exe upx behavioral2/memory/1436-144-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\nbbbtb.exe upx \??\c:\dppjd.exe upx \??\c:\vpvpp.exe upx \??\c:\nhttnh.exe upx behavioral2/memory/1720-188-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/640-198-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2924-216-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1648-224-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1452-245-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4336-228-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4332-218-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4972-212-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2976-264-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1180-205-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3104-204-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1252-194-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\nnhhhh.exe upx behavioral2/memory/2792-181-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/5072-179-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\frfxlfr.exe upx behavioral2/memory/2236-273-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1524-158-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4856-157-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\hbthnh.exe upx behavioral2/memory/4856-151-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2404-150-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lrrlffx.exe upx behavioral2/memory/1424-277-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4888-129-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4364-127-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exedvpjj.exe1pdvj.exefrlfrlf.exefrlxlfx.exe1ppjd.exe9frrffr.exehnnhbt.exedvvpj.exelffxxxx.exe1tthbt.exentthbb.exe5jdvp.exerflfxxr.exehnthtn.exedjvjv.exe7xrfxxr.exethtbbt.exejvpjd.exeflrlxlf.exe1lrxrrl.exe3ntbbb.exedescription pid process target process PID 512 wrote to memory of 2084 512 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe dvpjj.exe PID 512 wrote to memory of 2084 512 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe dvpjj.exe PID 512 wrote to memory of 2084 512 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe dvpjj.exe PID 2084 wrote to memory of 2276 2084 dvpjj.exe 1pdvj.exe PID 2084 wrote to memory of 2276 2084 dvpjj.exe 1pdvj.exe PID 2084 wrote to memory of 2276 2084 dvpjj.exe 1pdvj.exe PID 2276 wrote to memory of 3648 2276 1pdvj.exe frlfrlf.exe PID 2276 wrote to memory of 3648 2276 1pdvj.exe frlfrlf.exe PID 2276 wrote to memory of 3648 2276 1pdvj.exe frlfrlf.exe PID 3648 wrote to memory of 3400 3648 frlfrlf.exe frlxlfx.exe PID 3648 wrote to memory of 3400 3648 frlfrlf.exe frlxlfx.exe PID 3648 wrote to memory of 3400 3648 frlfrlf.exe frlxlfx.exe PID 3400 wrote to memory of 4456 3400 frlxlfx.exe 1ppjd.exe PID 3400 wrote to memory of 4456 3400 frlxlfx.exe 1ppjd.exe PID 3400 wrote to memory of 4456 3400 frlxlfx.exe 1ppjd.exe PID 4456 wrote to memory of 1452 4456 1ppjd.exe 9frrffr.exe PID 4456 wrote to memory of 1452 4456 1ppjd.exe 9frrffr.exe PID 4456 wrote to memory of 1452 4456 1ppjd.exe 9frrffr.exe PID 1452 wrote to memory of 3916 1452 9frrffr.exe hnnhbt.exe PID 1452 wrote to memory of 3916 1452 9frrffr.exe hnnhbt.exe PID 1452 wrote to memory of 3916 1452 9frrffr.exe hnnhbt.exe PID 3916 wrote to memory of 1456 3916 hnnhbt.exe dvvpj.exe PID 3916 wrote to memory of 1456 3916 hnnhbt.exe dvvpj.exe PID 3916 wrote to memory of 1456 3916 hnnhbt.exe dvvpj.exe PID 1456 wrote to memory of 1224 1456 dvvpj.exe lffxxxx.exe PID 1456 wrote to memory of 1224 1456 dvvpj.exe lffxxxx.exe PID 1456 wrote to memory of 1224 1456 dvvpj.exe lffxxxx.exe PID 1224 wrote to memory of 1792 1224 lffxxxx.exe 1tthbt.exe PID 1224 wrote to memory of 1792 1224 lffxxxx.exe 1tthbt.exe PID 1224 wrote to memory of 1792 1224 lffxxxx.exe 1tthbt.exe PID 1792 wrote to memory of 4696 1792 1tthbt.exe ntthbb.exe PID 1792 wrote to memory of 4696 1792 1tthbt.exe ntthbb.exe PID 1792 wrote to memory of 4696 1792 1tthbt.exe ntthbb.exe PID 4696 wrote to memory of 2016 4696 ntthbb.exe 5jdvp.exe PID 4696 wrote to memory of 2016 4696 ntthbb.exe 5jdvp.exe PID 4696 wrote to memory of 2016 4696 ntthbb.exe 5jdvp.exe PID 2016 wrote to memory of 4716 2016 5jdvp.exe rflfxxr.exe PID 2016 wrote to memory of 4716 2016 5jdvp.exe rflfxxr.exe PID 2016 wrote to memory of 4716 2016 5jdvp.exe rflfxxr.exe PID 4716 wrote to memory of 2156 4716 rflfxxr.exe hnthtn.exe PID 4716 wrote to memory of 2156 4716 rflfxxr.exe hnthtn.exe PID 4716 wrote to memory of 2156 4716 rflfxxr.exe hnthtn.exe PID 2156 wrote to memory of 4140 2156 hnthtn.exe djvjv.exe PID 2156 wrote to memory of 4140 2156 hnthtn.exe djvjv.exe PID 2156 wrote to memory of 4140 2156 hnthtn.exe djvjv.exe PID 4140 wrote to memory of 4060 4140 djvjv.exe 7xrfxxr.exe PID 4140 wrote to memory of 4060 4140 djvjv.exe 7xrfxxr.exe PID 4140 wrote to memory of 4060 4140 djvjv.exe 7xrfxxr.exe PID 4060 wrote to memory of 2728 4060 7xrfxxr.exe thtbbt.exe PID 4060 wrote to memory of 2728 4060 7xrfxxr.exe thtbbt.exe PID 4060 wrote to memory of 2728 4060 7xrfxxr.exe thtbbt.exe PID 2728 wrote to memory of 2372 2728 thtbbt.exe jvpjd.exe PID 2728 wrote to memory of 2372 2728 thtbbt.exe jvpjd.exe PID 2728 wrote to memory of 2372 2728 thtbbt.exe jvpjd.exe PID 2372 wrote to memory of 1440 2372 jvpjd.exe flrlxlf.exe PID 2372 wrote to memory of 1440 2372 jvpjd.exe flrlxlf.exe PID 2372 wrote to memory of 1440 2372 jvpjd.exe flrlxlf.exe PID 1440 wrote to memory of 220 1440 flrlxlf.exe 1lrxrrl.exe PID 1440 wrote to memory of 220 1440 flrlxlf.exe 1lrxrrl.exe PID 1440 wrote to memory of 220 1440 flrlxlf.exe 1lrxrrl.exe PID 220 wrote to memory of 4888 220 1lrxrrl.exe xxxxrlx.exe PID 220 wrote to memory of 4888 220 1lrxrrl.exe xxxxrlx.exe PID 220 wrote to memory of 4888 220 1lrxrrl.exe xxxxrlx.exe PID 4888 wrote to memory of 4364 4888 3ntbbb.exe ddjdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\dvpjj.exec:\dvpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\1pdvj.exec:\1pdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\frlfrlf.exec:\frlfrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\frlxlfx.exec:\frlxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\1ppjd.exec:\1ppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\9frrffr.exec:\9frrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\hnnhbt.exec:\hnnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\dvvpj.exec:\dvvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\lffxxxx.exec:\lffxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\1tthbt.exec:\1tthbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\ntthbb.exec:\ntthbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\5jdvp.exec:\5jdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\rflfxxr.exec:\rflfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\hnthtn.exec:\hnthtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\djvjv.exec:\djvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\7xrfxxr.exec:\7xrfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\thtbbt.exec:\thtbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jvpjd.exec:\jvpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\flrlxlf.exec:\flrlxlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\1lrxrrl.exec:\1lrxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\3ntbbb.exec:\3ntbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\ddjdd.exec:\ddjdd.exe23⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xlxrffx.exec:\xlxrffx.exe24⤵
- Executes dropped EXE
PID:4732 -
\??\c:\ntnthn.exec:\ntnthn.exe25⤵
- Executes dropped EXE
PID:1436 -
\??\c:\nbbbtb.exec:\nbbbtb.exe26⤵
- Executes dropped EXE
PID:2404 -
\??\c:\lrrlffx.exec:\lrrlffx.exe27⤵
- Executes dropped EXE
PID:4856 -
\??\c:\hbthnh.exec:\hbthnh.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dppjd.exec:\dppjd.exe29⤵
- Executes dropped EXE
PID:3372 -
\??\c:\vpvpp.exec:\vpvpp.exe30⤵
- Executes dropped EXE
PID:2760 -
\??\c:\frfxlfr.exec:\frfxlfr.exe31⤵
- Executes dropped EXE
PID:5072 -
\??\c:\nhttnh.exec:\nhttnh.exe32⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nnhhhh.exec:\nnhhhh.exe33⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vjdvp.exec:\vjdvp.exe34⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lrfffll.exec:\lrfffll.exe35⤵
- Executes dropped EXE
PID:1252 -
\??\c:\3hthnn.exec:\3hthnn.exe36⤵
- Executes dropped EXE
PID:640 -
\??\c:\pdvvp.exec:\pdvvp.exe37⤵
- Executes dropped EXE
PID:3104 -
\??\c:\pddvj.exec:\pddvj.exe38⤵
- Executes dropped EXE
PID:1180 -
\??\c:\lrrllrr.exec:\lrrllrr.exe39⤵
- Executes dropped EXE
PID:4972 -
\??\c:\lllfxxr.exec:\lllfxxr.exe40⤵
- Executes dropped EXE
PID:2924 -
\??\c:\1thbnn.exec:\1thbnn.exe41⤵
- Executes dropped EXE
PID:4332 -
\??\c:\vjjjd.exec:\vjjjd.exe42⤵
- Executes dropped EXE
PID:1648 -
\??\c:\lxxlxlx.exec:\lxxlxlx.exe43⤵
- Executes dropped EXE
PID:4336 -
\??\c:\llrlrll.exec:\llrlrll.exe44⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hbbbtt.exec:\hbbbtt.exe45⤵
- Executes dropped EXE
PID:3624 -
\??\c:\7btnhh.exec:\7btnhh.exe46⤵
- Executes dropped EXE
PID:1612 -
\??\c:\djjdv.exec:\djjdv.exe47⤵
- Executes dropped EXE
PID:3580 -
\??\c:\fxrlfxl.exec:\fxrlfxl.exe48⤵
- Executes dropped EXE
PID:3876 -
\??\c:\xlrxlxf.exec:\xlrxlxf.exe49⤵
- Executes dropped EXE
PID:1452 -
\??\c:\htnhth.exec:\htnhth.exe50⤵
- Executes dropped EXE
PID:3928 -
\??\c:\htbbtt.exec:\htbbtt.exe51⤵
- Executes dropped EXE
PID:1120 -
\??\c:\dvjvd.exec:\dvjvd.exe52⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xlfxrlf.exec:\xlfxrlf.exe53⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxxxlll.exec:\lxxxlll.exe54⤵
- Executes dropped EXE
PID:2604 -
\??\c:\httnnn.exec:\httnnn.exe55⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jjpjj.exec:\jjpjj.exe56⤵
- Executes dropped EXE
PID:372 -
\??\c:\vpjjd.exec:\vpjjd.exe57⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lllfrrl.exec:\lllfrrl.exe58⤵
- Executes dropped EXE
PID:2672 -
\??\c:\fxlfxfx.exec:\fxlfxfx.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\9bnhbb.exec:\9bnhbb.exe60⤵
- Executes dropped EXE
PID:4468 -
\??\c:\5vvvp.exec:\5vvvp.exe61⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vppdp.exec:\vppdp.exe62⤵
- Executes dropped EXE
PID:3652 -
\??\c:\9rlfrlf.exec:\9rlfrlf.exe63⤵
- Executes dropped EXE
PID:4016 -
\??\c:\frflxlx.exec:\frflxlx.exe64⤵
- Executes dropped EXE
PID:4492 -
\??\c:\3nbttt.exec:\3nbttt.exe65⤵
- Executes dropped EXE
PID:2756 -
\??\c:\nbhbbn.exec:\nbhbbn.exe66⤵PID:4976
-
\??\c:\9jvpj.exec:\9jvpj.exe67⤵PID:736
-
\??\c:\lxxrrlf.exec:\lxxrrlf.exe68⤵PID:4588
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe69⤵PID:2000
-
\??\c:\bntnhb.exec:\bntnhb.exe70⤵PID:2868
-
\??\c:\dpvjp.exec:\dpvjp.exe71⤵PID:4048
-
\??\c:\xxxxrlx.exec:\xxxxrlx.exe72⤵PID:4888
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe73⤵PID:2864
-
\??\c:\3nhbbb.exec:\3nhbbb.exe74⤵PID:1512
-
\??\c:\pvjjd.exec:\pvjjd.exe75⤵PID:4244
-
\??\c:\lxfffrr.exec:\lxfffrr.exe76⤵PID:2584
-
\??\c:\nhhttn.exec:\nhhttn.exe77⤵PID:3208
-
\??\c:\jdddv.exec:\jdddv.exe78⤵PID:1064
-
\??\c:\ddpjd.exec:\ddpjd.exe79⤵PID:4516
-
\??\c:\xlfxrxr.exec:\xlfxrxr.exe80⤵PID:432
-
\??\c:\bbbtnn.exec:\bbbtnn.exe81⤵PID:3372
-
\??\c:\1jdvp.exec:\1jdvp.exe82⤵PID:2740
-
\??\c:\9lrllll.exec:\9lrllll.exe83⤵PID:3940
-
\??\c:\xrlrflf.exec:\xrlrflf.exe84⤵PID:2284
-
\??\c:\7hbtnt.exec:\7hbtnt.exe85⤵PID:2024
-
\??\c:\lrllrrx.exec:\lrllrrx.exe86⤵PID:2224
-
\??\c:\btbnhh.exec:\btbnhh.exe87⤵PID:3904
-
\??\c:\jvvpp.exec:\jvvpp.exe88⤵PID:1252
-
\??\c:\1rrlllf.exec:\1rrlllf.exe89⤵PID:640
-
\??\c:\hnnbbb.exec:\hnnbbb.exe90⤵PID:552
-
\??\c:\pjjdv.exec:\pjjdv.exe91⤵PID:4520
-
\??\c:\jvjvv.exec:\jvjvv.exe92⤵PID:3132
-
\??\c:\xrrllll.exec:\xrrllll.exe93⤵PID:2468
-
\??\c:\tnttbn.exec:\tnttbn.exe94⤵PID:1084
-
\??\c:\bnnhtn.exec:\bnnhtn.exe95⤵PID:512
-
\??\c:\dpddv.exec:\dpddv.exe96⤵PID:3356
-
\??\c:\fxffxfx.exec:\fxffxfx.exe97⤵PID:4920
-
\??\c:\xrrrllf.exec:\xrrrllf.exe98⤵PID:2276
-
\??\c:\hhtbnh.exec:\hhtbnh.exe99⤵PID:2028
-
\??\c:\dddvp.exec:\dddvp.exe100⤵PID:4792
-
\??\c:\lxlfxxl.exec:\lxlfxxl.exe101⤵PID:4324
-
\??\c:\rlflllf.exec:\rlflllf.exe102⤵PID:3400
-
\??\c:\hbbthh.exec:\hbbthh.exe103⤵PID:2860
-
\??\c:\hnbttn.exec:\hnbttn.exe104⤵PID:1508
-
\??\c:\7xflflf.exec:\7xflflf.exe105⤵PID:4728
-
\??\c:\rlrrxlf.exec:\rlrrxlf.exe106⤵PID:4844
-
\??\c:\nhhhbh.exec:\nhhhbh.exe107⤵PID:2072
-
\??\c:\vvjjd.exec:\vvjjd.exe108⤵PID:3484
-
\??\c:\3xxxrrr.exec:\3xxxrrr.exe109⤵PID:3352
-
\??\c:\lxfrllf.exec:\lxfrllf.exe110⤵PID:4984
-
\??\c:\ttttbh.exec:\ttttbh.exe111⤵PID:544
-
\??\c:\dvdvd.exec:\dvdvd.exe112⤵PID:4548
-
\??\c:\frlrrfl.exec:\frlrrfl.exe113⤵PID:3936
-
\??\c:\bbtnhh.exec:\bbtnhh.exe114⤵PID:4896
-
\??\c:\pjpjd.exec:\pjpjd.exe115⤵PID:4136
-
\??\c:\7frlrll.exec:\7frlrll.exe116⤵PID:4908
-
\??\c:\hbhhnh.exec:\hbhhnh.exe117⤵PID:3536
-
\??\c:\jppvj.exec:\jppvj.exe118⤵PID:2728
-
\??\c:\pvdvp.exec:\pvdvp.exe119⤵PID:4928
-
\??\c:\fxxrlll.exec:\fxxrlll.exe120⤵PID:2768
-
\??\c:\rfffxxx.exec:\rfffxxx.exe121⤵PID:1216
-
\??\c:\bbhhhb.exec:\bbhhhb.exe122⤵PID:3256
-
\??\c:\pjpjj.exec:\pjpjj.exe123⤵PID:4588
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe124⤵PID:4220
-
\??\c:\hhtntn.exec:\hhtntn.exe125⤵PID:2868
-
\??\c:\vvvpj.exec:\vvvpj.exe126⤵PID:3872
-
\??\c:\rflfxxr.exec:\rflfxxr.exe127⤵PID:3612
-
\??\c:\fllxrlx.exec:\fllxrlx.exe128⤵PID:2864
-
\??\c:\9jdvv.exec:\9jdvv.exe129⤵PID:1512
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe130⤵PID:2908
-
\??\c:\ttttbb.exec:\ttttbb.exe131⤵PID:4804
-
\??\c:\jdvpp.exec:\jdvpp.exe132⤵PID:4856
-
\??\c:\ddjdj.exec:\ddjdj.exe133⤵PID:4800
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe134⤵PID:4516
-
\??\c:\3httnt.exec:\3httnt.exe135⤵PID:908
-
\??\c:\btnbtn.exec:\btnbtn.exe136⤵PID:4040
-
\??\c:\dvjdd.exec:\dvjdd.exe137⤵PID:4008
-
\??\c:\vjjdv.exec:\vjjdv.exe138⤵PID:1608
-
\??\c:\xrllflf.exec:\xrllflf.exe139⤵PID:2224
-
\??\c:\hbhbth.exec:\hbhbth.exe140⤵PID:4408
-
\??\c:\1bhtnh.exec:\1bhtnh.exe141⤵PID:640
-
\??\c:\jjdvv.exec:\jjdvv.exe142⤵PID:2816
-
\??\c:\rlxfxff.exec:\rlxfxff.exe143⤵PID:2356
-
\??\c:\rflllff.exec:\rflllff.exe144⤵PID:5012
-
\??\c:\bnttnt.exec:\bnttnt.exe145⤵PID:4104
-
\??\c:\thhhnn.exec:\thhhnn.exe146⤵PID:3356
-
\??\c:\9vjdj.exec:\9vjdj.exe147⤵PID:2204
-
\??\c:\frfffxx.exec:\frfffxx.exe148⤵PID:376
-
\??\c:\9hnhhn.exec:\9hnhhn.exe149⤵PID:1000
-
\??\c:\3bhbth.exec:\3bhbth.exe150⤵PID:1140
-
\??\c:\ddvpp.exec:\ddvpp.exe151⤵PID:5008
-
\??\c:\rfllfff.exec:\rfllfff.exe152⤵PID:4504
-
\??\c:\hbbttt.exec:\hbbttt.exe153⤵PID:3716
-
\??\c:\tnbthh.exec:\tnbthh.exe154⤵PID:4360
-
\??\c:\dvvpp.exec:\dvvpp.exe155⤵PID:1456
-
\??\c:\3xlfxff.exec:\3xlfxff.exe156⤵PID:4844
-
\??\c:\tnttbh.exec:\tnttbh.exe157⤵PID:2072
-
\??\c:\ddpdd.exec:\ddpdd.exe158⤵PID:372
-
\??\c:\flrfflr.exec:\flrfflr.exe159⤵PID:2236
-
\??\c:\7hnnhn.exec:\7hnnhn.exe160⤵PID:1444
-
\??\c:\pddjd.exec:\pddjd.exe161⤵PID:3432
-
\??\c:\pvppd.exec:\pvppd.exe162⤵PID:2016
-
\??\c:\ttnbnb.exec:\ttnbnb.exe163⤵PID:5060
-
\??\c:\pvppp.exec:\pvppp.exe164⤵PID:1488
-
\??\c:\lrflxfl.exec:\lrflxfl.exe165⤵PID:1352
-
\??\c:\7rrrffx.exec:\7rrrffx.exe166⤵PID:4824
-
\??\c:\rlllrrl.exec:\rlllrrl.exe167⤵PID:3472
-
\??\c:\nnthbb.exec:\nnthbb.exe168⤵PID:5036
-
\??\c:\pjjdv.exec:\pjjdv.exe169⤵PID:4820
-
\??\c:\xxrxfrf.exec:\xxrxfrf.exe170⤵PID:2376
-
\??\c:\pjjpp.exec:\pjjpp.exe171⤵PID:1696
-
\??\c:\3pdpj.exec:\3pdpj.exe172⤵PID:4036
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe173⤵PID:2000
-
\??\c:\nhhbtt.exec:\nhhbtt.exe174⤵PID:116
-
\??\c:\btnhtn.exec:\btnhtn.exe175⤵PID:1928
-
\??\c:\ppdvp.exec:\ppdvp.exe176⤵PID:4440
-
\??\c:\lfrlllr.exec:\lfrlllr.exe177⤵PID:4092
-
\??\c:\1rlxrxr.exec:\1rlxrxr.exe178⤵PID:2864
-
\??\c:\1tnhbt.exec:\1tnhbt.exe179⤵PID:5076
-
\??\c:\7jjdj.exec:\7jjdj.exe180⤵PID:4816
-
\??\c:\pddvd.exec:\pddvd.exe181⤵PID:4992
-
\??\c:\5xxrrrr.exec:\5xxrrrr.exe182⤵PID:1064
-
\??\c:\9hbttt.exec:\9hbttt.exe183⤵PID:4472
-
\??\c:\bnhbhn.exec:\bnhbhn.exe184⤵PID:2384
-
\??\c:\pjpjv.exec:\pjpjv.exe185⤵PID:4668
-
\??\c:\xxfrlrl.exec:\xxfrlrl.exe186⤵PID:5096
-
\??\c:\tnnhhh.exec:\tnnhhh.exe187⤵PID:1028
-
\??\c:\nhhnnn.exec:\nhhnnn.exe188⤵PID:3820
-
\??\c:\jvpjv.exec:\jvpjv.exe189⤵PID:3756
-
\??\c:\llrrrxx.exec:\llrrrxx.exe190⤵PID:2880
-
\??\c:\tbbthb.exec:\tbbthb.exe191⤵PID:640
-
\??\c:\btbttb.exec:\btbttb.exe192⤵PID:2468
-
\??\c:\vjjdd.exec:\vjjdd.exe193⤵PID:2356
-
\??\c:\lffrflr.exec:\lffrflr.exe194⤵PID:4916
-
\??\c:\xlrlllf.exec:\xlrlllf.exe195⤵PID:1468
-
\??\c:\thntth.exec:\thntth.exe196⤵PID:3356
-
\??\c:\nhhbtt.exec:\nhhbtt.exe197⤵PID:2276
-
\??\c:\vdpjp.exec:\vdpjp.exe198⤵PID:376
-
\??\c:\frllfff.exec:\frllfff.exe199⤵PID:4324
-
\??\c:\xlllfxr.exec:\xlllfxr.exe200⤵PID:3580
-
\??\c:\1bbbbh.exec:\1bbbbh.exe201⤵PID:4456
-
\??\c:\hbhhnh.exec:\hbhhnh.exe202⤵PID:3916
-
\??\c:\1jdvj.exec:\1jdvj.exe203⤵PID:3716
-
\??\c:\xllxllf.exec:\xllxllf.exe204⤵PID:1792
-
\??\c:\ttnbnb.exec:\ttnbnb.exe205⤵PID:5028
-
\??\c:\htnbnh.exec:\htnbnh.exe206⤵PID:2988
-
\??\c:\jdddj.exec:\jdddj.exe207⤵PID:2604
-
\??\c:\7frrflx.exec:\7frrflx.exe208⤵PID:2072
-
\??\c:\rfrllfx.exec:\rfrllfx.exe209⤵PID:3324
-
\??\c:\nbbthb.exec:\nbbthb.exe210⤵PID:636
-
\??\c:\jdvpj.exec:\jdvpj.exe211⤵PID:544
-
\??\c:\1rrlflf.exec:\1rrlflf.exe212⤵PID:1424
-
\??\c:\xrfxrfr.exec:\xrfxrfr.exe213⤵PID:4468
-
\??\c:\nntnbn.exec:\nntnbn.exe214⤵PID:3124
-
\??\c:\thbthh.exec:\thbthh.exe215⤵PID:4136
-
\??\c:\djvpd.exec:\djvpd.exe216⤵PID:828
-
\??\c:\jvdjd.exec:\jvdjd.exe217⤵PID:536
-
\??\c:\9frllfl.exec:\9frllfl.exe218⤵PID:4480
-
\??\c:\bbbtnh.exec:\bbbtnh.exe219⤵PID:1020
-
\??\c:\hnnhhh.exec:\hnnhhh.exe220⤵PID:2896
-
\??\c:\pvpjv.exec:\pvpjv.exe221⤵PID:3256
-
\??\c:\xxrlfrl.exec:\xxrlfrl.exe222⤵PID:2388
-
\??\c:\nnhbbt.exec:\nnhbbt.exe223⤵PID:4608
-
\??\c:\ttbttn.exec:\ttbttn.exe224⤵PID:4220
-
\??\c:\pdvdj.exec:\pdvdj.exe225⤵PID:4372
-
\??\c:\lxffxrl.exec:\lxffxrl.exe226⤵PID:4556
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe227⤵PID:3852
-
\??\c:\tnhtnh.exec:\tnhtnh.exe228⤵PID:2404
-
\??\c:\vjpdj.exec:\vjpdj.exe229⤵PID:4032
-
\??\c:\dpjpj.exec:\dpjpj.exe230⤵PID:3208
-
\??\c:\7xrrlll.exec:\7xrrlll.exe231⤵PID:2832
-
\??\c:\nnbnbt.exec:\nnbnbt.exe232⤵PID:864
-
\??\c:\1dpjv.exec:\1dpjv.exe233⤵PID:3812
-
\??\c:\rrllxlr.exec:\rrllxlr.exe234⤵PID:908
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe235⤵PID:4832
-
\??\c:\hhnnnh.exec:\hhnnnh.exe236⤵PID:1804
-
\??\c:\tnbbhh.exec:\tnbbhh.exe237⤵PID:2224
-
\??\c:\pvpjd.exec:\pvpjd.exe238⤵PID:3820
-
\??\c:\5jvpj.exec:\5jvpj.exe239⤵PID:1736
-
\??\c:\rffxrll.exec:\rffxrll.exe240⤵PID:4520
-
\??\c:\tnbtnn.exec:\tnbtnn.exe241⤵PID:4616
-
\??\c:\nhbbbb.exec:\nhbbbb.exe242⤵PID:4352