Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 23:11
Behavioral task
behavioral1
Sample
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe
-
Size
441KB
-
MD5
6c696784ba6bac24ee74863800142a20
-
SHA1
cdb7a90c00a59970d0d66d2b3c2b46f9deef0894
-
SHA256
ef76ea699e27a5d047f1c2453ac9b0a273c36d8307a63297e4ce7cd91a3848a1
-
SHA512
c281a9a386131e818e49ddf9a362e9d7d3980d63b7fe7590a8b1962a472aa30fd4e9b4e398f2749ea6d1f4a1547b1d03395056136fb9b31ce09df0471e622d29
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH9:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMH
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3880-5-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/964-12-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/800-20-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4232-27-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/668-26-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/824-37-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2156-39-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2876-50-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1336-60-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2180-67-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1828-75-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4736-73-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4044-80-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2324-87-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1440-98-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2548-104-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3364-114-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2192-121-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4724-127-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/644-132-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/696-135-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1728-140-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/464-146-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1920-156-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4312-159-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3608-167-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5100-176-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2264-195-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3220-205-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3412-209-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4336-210-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3796-217-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/668-230-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3032-234-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4128-241-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4756-251-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1600-264-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4188-268-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4044-276-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3560-286-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/640-293-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5024-306-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3440-356-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4424-360-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4348-373-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3032-383-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2140-394-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2640-408-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2592-418-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2392-434-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2468-444-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4140-475-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2264-485-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3796-504-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2288-517-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3384-527-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4192-534-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3472-603-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4212-671-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4340-754-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3560-779-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1096-916-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2404-959-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4948-1057-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\llrrlfr.exe family_berbew \??\c:\pjjdv.exe family_berbew C:\bnbttn.exe family_berbew C:\nnbtbb.exe family_berbew C:\thtthn.exe family_berbew C:\7llfxrr.exe family_berbew C:\ddvvp.exe family_berbew C:\lfrrlfr.exe family_berbew C:\3thbth.exe family_berbew C:\jdvjv.exe family_berbew C:\bttntb.exe family_berbew C:\vvvjj.exe family_berbew \??\c:\ffrxrff.exe family_berbew C:\dvvdp.exe family_berbew C:\xflrxlr.exe family_berbew C:\1pppj.exe family_berbew C:\lfllffx.exe family_berbew \??\c:\xrlffxr.exe family_berbew \??\c:\ppddd.exe family_berbew C:\frrrrfx.exe family_berbew \??\c:\xxrflxx.exe family_berbew C:\bhnhhn.exe family_berbew C:\dppdd.exe family_berbew C:\xfxxrrl.exe family_berbew C:\jvvpv.exe family_berbew C:\5dpdv.exe family_berbew \??\c:\lffxxxl.exe family_berbew C:\lxfffxf.exe family_berbew C:\hnbbtt.exe family_berbew \??\c:\djvpj.exe family_berbew \??\c:\fxlllff.exe family_berbew C:\vvddv.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
llrrlfr.exepjjdv.exebnbttn.exennbtbb.exethtthn.exe7llfxrr.exeddvvp.exelfrrlfr.exe3thbth.exejdvjv.exebttntb.exevvvjj.exeffrxrff.exedvvdp.exexflrxlr.exe1pppj.exelfllffx.exexrlffxr.exeppddd.exefrrrrfx.exexxrflxx.exebhnhhn.exedppdd.exexfxxrrl.exejvvpv.exe5dpdv.exelffxxxl.exelxfffxf.exehnbbtt.exedjvpj.exefxlllff.exevvddv.exentntnb.exevpppp.exelfxlllr.exettbhnb.exeppjdv.exe3lrlflf.exebbhnnn.exedddvv.exe7rfxrlr.exehthhnt.exepjdvd.exellfxxxx.exethnnhh.exejjdpd.exerrlfffl.exe9thbtt.exepdvdv.exebhnhnh.exeppddv.exefrflfrl.exehhbnnh.exepvjjv.exetnnhhh.exe5dpjp.exedpddd.exehtttnn.exe3jppp.exerrlllll.exetbnnnb.exerrfrrlx.exenbhttb.exejvddv.exepid process 964 llrrlfr.exe 800 pjjdv.exe 668 bnbttn.exe 4232 nnbtbb.exe 824 thtthn.exe 2156 7llfxrr.exe 4036 ddvvp.exe 2876 lfrrlfr.exe 1336 3thbth.exe 2180 jdvjv.exe 4736 bttntb.exe 1828 vvvjj.exe 4044 ffrxrff.exe 2324 dvvdp.exe 3560 xflrxlr.exe 1440 1pppj.exe 2548 lfllffx.exe 3364 xrlffxr.exe 2192 ppddd.exe 4724 frrrrfx.exe 644 xxrflxx.exe 696 bhnhhn.exe 1728 dppdd.exe 464 xfxxrrl.exe 1920 jvvpv.exe 4312 5dpdv.exe 3608 lffxxxl.exe 5100 lxfffxf.exe 3472 hnbbtt.exe 340 djvpj.exe 2328 fxlllff.exe 2264 vvddv.exe 2456 ntntnb.exe 4764 vpppp.exe 3220 lfxlllr.exe 3412 ttbhnb.exe 4336 ppjdv.exe 3796 3lrlflf.exe 3556 bbhnnn.exe 1452 dddvv.exe 2240 7rfxrlr.exe 668 hthhnt.exe 3032 pjdvd.exe 3488 llfxxxx.exe 4128 thnnhh.exe 4904 jjdpd.exe 452 rrlfffl.exe 4268 9thbtt.exe 4756 pdvdv.exe 4980 bhnhnh.exe 804 ppddv.exe 2540 frflfrl.exe 1600 hhbnnh.exe 4188 pvjjv.exe 1796 tnnhhh.exe 4044 5dpjp.exe 4936 dpddd.exe 3560 htttnn.exe 4952 3jppp.exe 4052 rrlllll.exe 640 tbnnnb.exe 2372 rrfrrlx.exe 2192 nbhttb.exe 5024 jvddv.exe -
Processes:
resource yara_rule behavioral2/memory/3880-0-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\llrrlfr.exe upx behavioral2/memory/3880-5-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/964-12-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\pjjdv.exe upx behavioral2/memory/800-13-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bnbttn.exe upx behavioral2/memory/800-20-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/668-18-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\nnbtbb.exe upx behavioral2/memory/4232-27-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/668-26-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\thtthn.exe upx C:\7llfxrr.exe upx behavioral2/memory/824-37-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2156-39-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ddvvp.exe upx C:\lfrrlfr.exe upx behavioral2/memory/2876-50-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\3thbth.exe upx behavioral2/memory/1336-56-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1336-60-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\jdvjv.exe upx C:\bttntb.exe upx behavioral2/memory/2180-67-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\vvvjj.exe upx behavioral2/memory/1828-75-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4736-73-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\ffrxrff.exe upx behavioral2/memory/4044-80-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\dvvdp.exe upx C:\xflrxlr.exe upx behavioral2/memory/2324-87-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\1pppj.exe upx behavioral2/memory/1440-98-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lfllffx.exe upx behavioral2/memory/2548-104-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\xrlffxr.exe upx behavioral2/memory/3364-114-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2192-115-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\ppddd.exe upx C:\frrrrfx.exe upx behavioral2/memory/2192-121-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\xxrflxx.exe upx behavioral2/memory/4724-127-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bhnhhn.exe upx behavioral2/memory/644-132-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/696-135-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\dppdd.exe upx behavioral2/memory/1728-140-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\xfxxrrl.exe upx behavioral2/memory/464-146-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\jvvpv.exe upx C:\5dpdv.exe upx behavioral2/memory/1920-156-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4312-159-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\lffxxxl.exe upx behavioral2/memory/3608-167-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lxfffxf.exe upx behavioral2/memory/5100-170-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\hnbbtt.exe upx behavioral2/memory/5100-176-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\djvpj.exe upx \??\c:\fxlllff.exe upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exellrrlfr.exepjjdv.exebnbttn.exennbtbb.exethtthn.exe7llfxrr.exeddvvp.exelfrrlfr.exe3thbth.exejdvjv.exebttntb.exevvvjj.exeffrxrff.exedvvdp.exexflrxlr.exe1pppj.exelfllffx.exexrlffxr.exeppddd.exefrrrrfx.exexxrflxx.exedescription pid process target process PID 3880 wrote to memory of 964 3880 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe llrrlfr.exe PID 3880 wrote to memory of 964 3880 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe llrrlfr.exe PID 3880 wrote to memory of 964 3880 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe llrrlfr.exe PID 964 wrote to memory of 800 964 llrrlfr.exe pjjdv.exe PID 964 wrote to memory of 800 964 llrrlfr.exe pjjdv.exe PID 964 wrote to memory of 800 964 llrrlfr.exe pjjdv.exe PID 800 wrote to memory of 668 800 pjjdv.exe bnbttn.exe PID 800 wrote to memory of 668 800 pjjdv.exe bnbttn.exe PID 800 wrote to memory of 668 800 pjjdv.exe bnbttn.exe PID 668 wrote to memory of 4232 668 bnbttn.exe nnbtbb.exe PID 668 wrote to memory of 4232 668 bnbttn.exe nnbtbb.exe PID 668 wrote to memory of 4232 668 bnbttn.exe nnbtbb.exe PID 4232 wrote to memory of 824 4232 nnbtbb.exe thtthn.exe PID 4232 wrote to memory of 824 4232 nnbtbb.exe thtthn.exe PID 4232 wrote to memory of 824 4232 nnbtbb.exe thtthn.exe PID 824 wrote to memory of 2156 824 thtthn.exe 7llfxrr.exe PID 824 wrote to memory of 2156 824 thtthn.exe 7llfxrr.exe PID 824 wrote to memory of 2156 824 thtthn.exe 7llfxrr.exe PID 2156 wrote to memory of 4036 2156 7llfxrr.exe ddvvp.exe PID 2156 wrote to memory of 4036 2156 7llfxrr.exe ddvvp.exe PID 2156 wrote to memory of 4036 2156 7llfxrr.exe ddvvp.exe PID 4036 wrote to memory of 2876 4036 ddvvp.exe lfrrlfr.exe PID 4036 wrote to memory of 2876 4036 ddvvp.exe lfrrlfr.exe PID 4036 wrote to memory of 2876 4036 ddvvp.exe lfrrlfr.exe PID 2876 wrote to memory of 1336 2876 lfrrlfr.exe 3thbth.exe PID 2876 wrote to memory of 1336 2876 lfrrlfr.exe 3thbth.exe PID 2876 wrote to memory of 1336 2876 lfrrlfr.exe 3thbth.exe PID 1336 wrote to memory of 2180 1336 3thbth.exe jdvjv.exe PID 1336 wrote to memory of 2180 1336 3thbth.exe jdvjv.exe PID 1336 wrote to memory of 2180 1336 3thbth.exe jdvjv.exe PID 2180 wrote to memory of 4736 2180 jdvjv.exe bttntb.exe PID 2180 wrote to memory of 4736 2180 jdvjv.exe bttntb.exe PID 2180 wrote to memory of 4736 2180 jdvjv.exe bttntb.exe PID 4736 wrote to memory of 1828 4736 bttntb.exe vvvjj.exe PID 4736 wrote to memory of 1828 4736 bttntb.exe vvvjj.exe PID 4736 wrote to memory of 1828 4736 bttntb.exe vvvjj.exe PID 1828 wrote to memory of 4044 1828 vvvjj.exe ffrxrff.exe PID 1828 wrote to memory of 4044 1828 vvvjj.exe ffrxrff.exe PID 1828 wrote to memory of 4044 1828 vvvjj.exe ffrxrff.exe PID 4044 wrote to memory of 2324 4044 ffrxrff.exe dvvdp.exe PID 4044 wrote to memory of 2324 4044 ffrxrff.exe dvvdp.exe PID 4044 wrote to memory of 2324 4044 ffrxrff.exe dvvdp.exe PID 2324 wrote to memory of 3560 2324 dvvdp.exe xflrxlr.exe PID 2324 wrote to memory of 3560 2324 dvvdp.exe xflrxlr.exe PID 2324 wrote to memory of 3560 2324 dvvdp.exe xflrxlr.exe PID 3560 wrote to memory of 1440 3560 xflrxlr.exe 1pppj.exe PID 3560 wrote to memory of 1440 3560 xflrxlr.exe 1pppj.exe PID 3560 wrote to memory of 1440 3560 xflrxlr.exe 1pppj.exe PID 1440 wrote to memory of 2548 1440 1pppj.exe lfllffx.exe PID 1440 wrote to memory of 2548 1440 1pppj.exe lfllffx.exe PID 1440 wrote to memory of 2548 1440 1pppj.exe lfllffx.exe PID 2548 wrote to memory of 3364 2548 lfllffx.exe xrlffxr.exe PID 2548 wrote to memory of 3364 2548 lfllffx.exe xrlffxr.exe PID 2548 wrote to memory of 3364 2548 lfllffx.exe xrlffxr.exe PID 3364 wrote to memory of 2192 3364 xrlffxr.exe ppddd.exe PID 3364 wrote to memory of 2192 3364 xrlffxr.exe ppddd.exe PID 3364 wrote to memory of 2192 3364 xrlffxr.exe ppddd.exe PID 2192 wrote to memory of 4724 2192 ppddd.exe frrrrfx.exe PID 2192 wrote to memory of 4724 2192 ppddd.exe frrrrfx.exe PID 2192 wrote to memory of 4724 2192 ppddd.exe frrrrfx.exe PID 4724 wrote to memory of 644 4724 frrrrfx.exe xxrflxx.exe PID 4724 wrote to memory of 644 4724 frrrrfx.exe xxrflxx.exe PID 4724 wrote to memory of 644 4724 frrrrfx.exe xxrflxx.exe PID 644 wrote to memory of 696 644 xxrflxx.exe bhnhhn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\llrrlfr.exec:\llrrlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\pjjdv.exec:\pjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\bnbttn.exec:\bnbttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\nnbtbb.exec:\nnbtbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\thtthn.exec:\thtthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\7llfxrr.exec:\7llfxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ddvvp.exec:\ddvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\lfrrlfr.exec:\lfrrlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\3thbth.exec:\3thbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\jdvjv.exec:\jdvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\bttntb.exec:\bttntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\vvvjj.exec:\vvvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\ffrxrff.exec:\ffrxrff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\dvvdp.exec:\dvvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\xflrxlr.exec:\xflrxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\1pppj.exec:\1pppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\lfllffx.exec:\lfllffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\xrlffxr.exec:\xrlffxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\ppddd.exec:\ppddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\frrrrfx.exec:\frrrrfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\xxrflxx.exec:\xxrflxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\bhnhhn.exec:\bhnhhn.exe23⤵
- Executes dropped EXE
PID:696 -
\??\c:\dppdd.exec:\dppdd.exe24⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xfxxrrl.exec:\xfxxrrl.exe25⤵
- Executes dropped EXE
PID:464 -
\??\c:\jvvpv.exec:\jvvpv.exe26⤵
- Executes dropped EXE
PID:1920 -
\??\c:\5dpdv.exec:\5dpdv.exe27⤵
- Executes dropped EXE
PID:4312 -
\??\c:\lffxxxl.exec:\lffxxxl.exe28⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lxfffxf.exec:\lxfffxf.exe29⤵
- Executes dropped EXE
PID:5100 -
\??\c:\hnbbtt.exec:\hnbbtt.exe30⤵
- Executes dropped EXE
PID:3472 -
\??\c:\djvpj.exec:\djvpj.exe31⤵
- Executes dropped EXE
PID:340 -
\??\c:\fxlllff.exec:\fxlllff.exe32⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vvddv.exec:\vvddv.exe33⤵
- Executes dropped EXE
PID:2264 -
\??\c:\ntntnb.exec:\ntntnb.exe34⤵
- Executes dropped EXE
PID:2456 -
\??\c:\vpppp.exec:\vpppp.exe35⤵
- Executes dropped EXE
PID:4764 -
\??\c:\lfxlllr.exec:\lfxlllr.exe36⤵
- Executes dropped EXE
PID:3220 -
\??\c:\ttbhnb.exec:\ttbhnb.exe37⤵
- Executes dropped EXE
PID:3412 -
\??\c:\ppjdv.exec:\ppjdv.exe38⤵
- Executes dropped EXE
PID:4336 -
\??\c:\3lrlflf.exec:\3lrlflf.exe39⤵
- Executes dropped EXE
PID:3796 -
\??\c:\bbhnnn.exec:\bbhnnn.exe40⤵
- Executes dropped EXE
PID:3556 -
\??\c:\dddvv.exec:\dddvv.exe41⤵
- Executes dropped EXE
PID:1452 -
\??\c:\7rfxrlr.exec:\7rfxrlr.exe42⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hthhnt.exec:\hthhnt.exe43⤵
- Executes dropped EXE
PID:668 -
\??\c:\pjdvd.exec:\pjdvd.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\llfxxxx.exec:\llfxxxx.exe45⤵
- Executes dropped EXE
PID:3488 -
\??\c:\thnnhh.exec:\thnnhh.exe46⤵
- Executes dropped EXE
PID:4128 -
\??\c:\jjdpd.exec:\jjdpd.exe47⤵
- Executes dropped EXE
PID:4904 -
\??\c:\rrlfffl.exec:\rrlfffl.exe48⤵
- Executes dropped EXE
PID:452 -
\??\c:\9thbtt.exec:\9thbtt.exe49⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pdvdv.exec:\pdvdv.exe50⤵
- Executes dropped EXE
PID:4756 -
\??\c:\bhnhnh.exec:\bhnhnh.exe51⤵
- Executes dropped EXE
PID:4980 -
\??\c:\ppddv.exec:\ppddv.exe52⤵
- Executes dropped EXE
PID:804 -
\??\c:\frflfrl.exec:\frflfrl.exe53⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hhbnnh.exec:\hhbnnh.exe54⤵
- Executes dropped EXE
PID:1600 -
\??\c:\pvjjv.exec:\pvjjv.exe55⤵
- Executes dropped EXE
PID:4188 -
\??\c:\tnnhhh.exec:\tnnhhh.exe56⤵
- Executes dropped EXE
PID:1796 -
\??\c:\5dpjp.exec:\5dpjp.exe57⤵
- Executes dropped EXE
PID:4044 -
\??\c:\dpddd.exec:\dpddd.exe58⤵
- Executes dropped EXE
PID:4936 -
\??\c:\htttnn.exec:\htttnn.exe59⤵
- Executes dropped EXE
PID:3560 -
\??\c:\3jppp.exec:\3jppp.exe60⤵
- Executes dropped EXE
PID:4952 -
\??\c:\rrlllll.exec:\rrlllll.exe61⤵
- Executes dropped EXE
PID:4052 -
\??\c:\tbnnnb.exec:\tbnnnb.exe62⤵
- Executes dropped EXE
PID:640 -
\??\c:\rrfrrlx.exec:\rrfrrlx.exe63⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nbhttb.exec:\nbhttb.exe64⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jvddv.exec:\jvddv.exe65⤵
- Executes dropped EXE
PID:5024 -
\??\c:\fffxxrr.exec:\fffxxrr.exe66⤵PID:3944
-
\??\c:\tthntb.exec:\tthntb.exe67⤵PID:3772
-
\??\c:\jvdvj.exec:\jvdvj.exe68⤵PID:3496
-
\??\c:\9rllrrr.exec:\9rllrrr.exe69⤵PID:3996
-
\??\c:\7nbbhn.exec:\7nbbhn.exe70⤵PID:1356
-
\??\c:\vdvjd.exec:\vdvjd.exe71⤵PID:5008
-
\??\c:\xxflffr.exec:\xxflffr.exe72⤵PID:3004
-
\??\c:\vjjdd.exec:\vjjdd.exe73⤵PID:2896
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe74⤵PID:4700
-
\??\c:\nhtnnn.exec:\nhtnnn.exe75⤵PID:3328
-
\??\c:\bbbbhh.exec:\bbbbhh.exe76⤵PID:1648
-
\??\c:\1jpjd.exec:\1jpjd.exe77⤵PID:2012
-
\??\c:\7bnnhn.exec:\7bnnhn.exe78⤵PID:4948
-
\??\c:\bnnhnb.exec:\bnnhnb.exe79⤵PID:1772
-
\??\c:\dpjpp.exec:\dpjpp.exe80⤵PID:328
-
\??\c:\3xlllxx.exec:\3xlllxx.exe81⤵PID:4552
-
\??\c:\thtnbb.exec:\thtnbb.exe82⤵PID:3440
-
\??\c:\djdjd.exec:\djdjd.exe83⤵PID:4424
-
\??\c:\dvddj.exec:\dvddj.exe84⤵PID:400
-
\??\c:\rlxflxl.exec:\rlxflxl.exe85⤵PID:2216
-
\??\c:\hbbtnb.exec:\hbbtnb.exe86⤵PID:1912
-
\??\c:\lrlfffx.exec:\lrlfffx.exe87⤵PID:4348
-
\??\c:\thtnbb.exec:\thtnbb.exe88⤵PID:3736
-
\??\c:\jppjj.exec:\jppjj.exe89⤵PID:468
-
\??\c:\rfxxxxr.exec:\rfxxxxr.exe90⤵PID:2776
-
\??\c:\frrlfxr.exec:\frrlfxr.exe91⤵PID:3032
-
\??\c:\nbbbtb.exec:\nbbbtb.exe92⤵PID:4128
-
\??\c:\pjdvv.exec:\pjdvv.exe93⤵PID:2140
-
\??\c:\rlrrrxr.exec:\rlrrrxr.exe94⤵PID:3044
-
\??\c:\5bbtnn.exec:\5bbtnn.exe95⤵PID:856
-
\??\c:\jdjjp.exec:\jdjjp.exe96⤵PID:4744
-
\??\c:\dpvvp.exec:\dpvvp.exe97⤵PID:620
-
\??\c:\rxxrlrr.exec:\rxxrlrr.exe98⤵PID:2640
-
\??\c:\5hnbbn.exec:\5hnbbn.exe99⤵PID:3448
-
\??\c:\jvvdd.exec:\jvvdd.exe100⤵PID:2592
-
\??\c:\fxflrrx.exec:\fxflrrx.exe101⤵PID:3356
-
\??\c:\1hnnhh.exec:\1hnnhh.exe102⤵PID:4212
-
\??\c:\jjdvv.exec:\jjdvv.exe103⤵PID:1144
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe104⤵PID:2408
-
\??\c:\hnnnhh.exec:\hnnnhh.exe105⤵PID:2392
-
\??\c:\dvjdp.exec:\dvjdp.exe106⤵PID:1608
-
\??\c:\lrxfrfr.exec:\lrxfrfr.exe107⤵PID:4588
-
\??\c:\xxxrxrr.exec:\xxxrxrr.exe108⤵PID:4500
-
\??\c:\nhbtnh.exec:\nhbtnh.exe109⤵PID:2468
-
\??\c:\dvpjp.exec:\dvpjp.exe110⤵PID:3380
-
\??\c:\rlllxlx.exec:\rlllxlx.exe111⤵PID:3396
-
\??\c:\tnbtbh.exec:\tnbtbh.exe112⤵PID:4220
-
\??\c:\thhbbh.exec:\thhbbh.exe113⤵PID:4092
-
\??\c:\dpjvv.exec:\dpjvv.exe114⤵PID:1100
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe115⤵PID:4584
-
\??\c:\9lxlffr.exec:\9lxlffr.exe116⤵PID:3528
-
\??\c:\hnthbb.exec:\hnthbb.exe117⤵PID:5100
-
\??\c:\pvdvv.exec:\pvdvv.exe118⤵PID:3912
-
\??\c:\rxxfrfx.exec:\rxxfrfx.exe119⤵PID:4140
-
\??\c:\ttthbt.exec:\ttthbt.exe120⤵PID:4948
-
\??\c:\3vddj.exec:\3vddj.exe121⤵PID:2264
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe122⤵PID:4308
-
\??\c:\hbbbbh.exec:\hbbbbh.exe123⤵PID:4440
-
\??\c:\vpdvv.exec:\vpdvv.exe124⤵PID:876
-
\??\c:\vjpjd.exec:\vjpjd.exe125⤵PID:3484
-
\??\c:\ntnnnt.exec:\ntnnnt.exe126⤵PID:3112
-
\??\c:\hnttnn.exec:\hnttnn.exe127⤵PID:3796
-
\??\c:\9xfrfff.exec:\9xfrfff.exe128⤵PID:3248
-
\??\c:\1bhbbt.exec:\1bhbbt.exe129⤵PID:440
-
\??\c:\5dpdv.exec:\5dpdv.exe130⤵PID:1012
-
\??\c:\vpppj.exec:\vpppj.exe131⤵PID:2288
-
\??\c:\bhnnhh.exec:\bhnnhh.exe132⤵PID:2132
-
\??\c:\nnnhbh.exec:\nnnhbh.exe133⤵PID:4920
-
\??\c:\1vpjd.exec:\1vpjd.exe134⤵PID:3384
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe135⤵PID:4932
-
\??\c:\hbtnhb.exec:\hbtnhb.exe136⤵PID:3884
-
\??\c:\jvvvp.exec:\jvvvp.exe137⤵PID:4192
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe138⤵PID:2248
-
\??\c:\hhntth.exec:\hhntth.exe139⤵PID:4596
-
\??\c:\bnttnh.exec:\bnttnh.exe140⤵PID:2768
-
\??\c:\pjjpj.exec:\pjjpj.exe141⤵PID:3704
-
\??\c:\5rlfxxx.exec:\5rlfxxx.exe142⤵PID:4176
-
\??\c:\bthbtb.exec:\bthbtb.exe143⤵PID:4480
-
\??\c:\nbbhbt.exec:\nbbhbt.exe144⤵PID:5116
-
\??\c:\pvjdj.exec:\pvjdj.exe145⤵PID:4656
-
\??\c:\hbhbtt.exec:\hbhbtt.exe146⤵PID:4772
-
\??\c:\ppppp.exec:\ppppp.exe147⤵PID:1744
-
\??\c:\1xxllff.exec:\1xxllff.exe148⤵PID:4428
-
\??\c:\hhhtnt.exec:\hhhtnt.exe149⤵PID:696
-
\??\c:\vpvpp.exec:\vpvpp.exe150⤵PID:3844
-
\??\c:\pjjdv.exec:\pjjdv.exe151⤵PID:2468
-
\??\c:\lllxxxx.exec:\lllxxxx.exe152⤵PID:464
-
\??\c:\ntnbbt.exec:\ntnbbt.exe153⤵PID:4296
-
\??\c:\jjjpp.exec:\jjjpp.exe154⤵PID:4568
-
\??\c:\1rrxlxl.exec:\1rrxlxl.exe155⤵PID:4160
-
\??\c:\9bbttb.exec:\9bbttb.exe156⤵PID:564
-
\??\c:\dpvpj.exec:\dpvpj.exe157⤵PID:3268
-
\??\c:\rxffxlx.exec:\rxffxlx.exe158⤵PID:3472
-
\??\c:\btbbtn.exec:\btbbtn.exe159⤵PID:3660
-
\??\c:\pjpjd.exec:\pjpjd.exe160⤵PID:4140
-
\??\c:\flfxrlf.exec:\flfxrlf.exe161⤵PID:3636
-
\??\c:\1nnhbn.exec:\1nnhbn.exe162⤵PID:1064
-
\??\c:\bthbnt.exec:\bthbnt.exe163⤵PID:3440
-
\??\c:\dvvpj.exec:\dvvpj.exe164⤵PID:4992
-
\??\c:\fxlrrrl.exec:\fxlrrrl.exe165⤵PID:2404
-
\??\c:\hhhbbb.exec:\hhhbbb.exe166⤵PID:2120
-
\??\c:\vvjjj.exec:\vvjjj.exe167⤵PID:2136
-
\??\c:\rllfxrl.exec:\rllfxrl.exe168⤵PID:2932
-
\??\c:\thnhhb.exec:\thnhhb.exe169⤵PID:2772
-
\??\c:\jvdpp.exec:\jvdpp.exe170⤵PID:2776
-
\??\c:\fllffxr.exec:\fllffxr.exe171⤵PID:2088
-
\??\c:\rxxffll.exec:\rxxffll.exe172⤵PID:3956
-
\??\c:\ttttnt.exec:\ttttnt.exe173⤵PID:4128
-
\??\c:\5pvdd.exec:\5pvdd.exe174⤵PID:2304
-
\??\c:\xllrlfx.exec:\xllrlfx.exe175⤵PID:3384
-
\??\c:\hhhttn.exec:\hhhttn.exe176⤵PID:1800
-
\??\c:\5vjjp.exec:\5vjjp.exe177⤵PID:4744
-
\??\c:\7flfxxx.exec:\7flfxxx.exe178⤵PID:4192
-
\??\c:\hhhtth.exec:\hhhtth.exe179⤵PID:3892
-
\??\c:\dpjjv.exec:\dpjjv.exe180⤵PID:4320
-
\??\c:\rlrfffx.exec:\rlrfffx.exe181⤵PID:4052
-
\??\c:\3hbbtb.exec:\3hbbtb.exe182⤵PID:4212
-
\??\c:\9vvpj.exec:\9vvpj.exe183⤵PID:5116
-
\??\c:\xflfxxl.exec:\xflfxxl.exe184⤵PID:4656
-
\??\c:\tbtnbh.exec:\tbtnbh.exe185⤵PID:2092
-
\??\c:\vdjdp.exec:\vdjdp.exe186⤵PID:5024
-
\??\c:\rllffff.exec:\rllffff.exe187⤵PID:4872
-
\??\c:\tbtttn.exec:\tbtttn.exe188⤵PID:2168
-
\??\c:\pdpvd.exec:\pdpvd.exe189⤵PID:5072
-
\??\c:\pvdjp.exec:\pvdjp.exe190⤵PID:3996
-
\??\c:\xlxrffl.exec:\xlxrffl.exe191⤵PID:4112
-
\??\c:\ttnttn.exec:\ttnttn.exe192⤵PID:4296
-
\??\c:\5jjjp.exec:\5jjjp.exe193⤵PID:3984
-
\??\c:\llflrlf.exec:\llflrlf.exe194⤵PID:4160
-
\??\c:\bhttnt.exec:\bhttnt.exe195⤵PID:3528
-
\??\c:\dvppp.exec:\dvppp.exe196⤵PID:5100
-
\??\c:\xlrxlfx.exec:\xlrxlfx.exe197⤵PID:3792
-
\??\c:\bhntnn.exec:\bhntnn.exe198⤵PID:2328
-
\??\c:\jjpvv.exec:\jjpvv.exe199⤵PID:4184
-
\??\c:\xrlllxx.exec:\xrlllxx.exe200⤵PID:3636
-
\??\c:\btthtn.exec:\btthtn.exe201⤵PID:2456
-
\??\c:\vjvdv.exec:\vjvdv.exe202⤵PID:964
-
\??\c:\pjdvp.exec:\pjdvp.exe203⤵PID:876
-
\??\c:\xrrfxll.exec:\xrrfxll.exe204⤵PID:800
-
\??\c:\tbtnbb.exec:\tbtnbb.exe205⤵PID:3556
-
\??\c:\dppjd.exec:\dppjd.exe206⤵PID:2800
-
\??\c:\xrrrrxl.exec:\xrrrrxl.exe207⤵PID:2072
-
\??\c:\nbnthn.exec:\nbnthn.exe208⤵PID:4340
-
\??\c:\jdvvp.exec:\jdvvp.exe209⤵PID:3032
-
\??\c:\llffxff.exec:\llffxff.exe210⤵PID:3956
-
\??\c:\bhbtbh.exec:\bhbtbh.exe211⤵PID:2876
-
\??\c:\ddpjd.exec:\ddpjd.exe212⤵PID:396
-
\??\c:\vjpjd.exec:\vjpjd.exe213⤵PID:4324
-
\??\c:\fxlfffr.exec:\fxlfffr.exe214⤵PID:2740
-
\??\c:\tbbbbh.exec:\tbbbbh.exe215⤵PID:4744
-
\??\c:\ddvvp.exec:\ddvvp.exe216⤵PID:4188
-
\??\c:\lrxrrxx.exec:\lrxrrxx.exe217⤵PID:3560
-
\??\c:\tttnht.exec:\tttnht.exe218⤵PID:1436
-
\??\c:\hhnhbb.exec:\hhnhbb.exe219⤵PID:4752
-
\??\c:\dpjvv.exec:\dpjvv.exe220⤵PID:4844
-
\??\c:\1rrlfff.exec:\1rrlfff.exe221⤵PID:4724
-
\??\c:\5bhhnt.exec:\5bhhnt.exe222⤵PID:2092
-
\??\c:\dvvdj.exec:\dvvdj.exe223⤵PID:1572
-
\??\c:\jdjdv.exec:\jdjdv.exe224⤵PID:4872
-
\??\c:\lxxxlxr.exec:\lxxxlxr.exe225⤵PID:4964
-
\??\c:\nnhnnt.exec:\nnhnnt.exe226⤵PID:3844
-
\??\c:\vdjjv.exec:\vdjjv.exe227⤵PID:1356
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe228⤵PID:4468
-
\??\c:\5tnttb.exec:\5tnttb.exe229⤵PID:4296
-
\??\c:\9ppjj.exec:\9ppjj.exe230⤵PID:3984
-
\??\c:\9lfxxfx.exec:\9lfxxfx.exe231⤵PID:4160
-
\??\c:\ntbttt.exec:\ntbttt.exe232⤵PID:3300
-
\??\c:\jjdvd.exec:\jjdvd.exe233⤵PID:3660
-
\??\c:\xlxxfrx.exec:\xlxxfrx.exe234⤵PID:4140
-
\??\c:\htnttb.exec:\htnttb.exe235⤵PID:3376
-
\??\c:\hbnnnb.exec:\hbnnnb.exe236⤵PID:4436
-
\??\c:\jdppp.exec:\jdppp.exe237⤵PID:3636
-
\??\c:\rlxrlrf.exec:\rlxrlrf.exe238⤵PID:2456
-
\??\c:\nhtnhh.exec:\nhtnhh.exe239⤵PID:3392
-
\??\c:\jvjdv.exec:\jvjdv.exe240⤵PID:1560
-
\??\c:\llfllxr.exec:\llfllxr.exe241⤵PID:3736
-
\??\c:\bbhbhb.exec:\bbhbhb.exe242⤵PID:668