Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:51
Behavioral task
behavioral1
Sample
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe
-
Size
192KB
-
MD5
77b7c6a02c79ab73015e4d28c4905590
-
SHA1
e22c4ce2d464e1c6c983290bfa11974ec4cc492f
-
SHA256
0c06351ce37fd6aca129a115294fd79bee5e976a9428825950fcad33f26ac2b1
-
SHA512
6ba024876fc86a4a8fbc4bd5084fce06af20e68acd1a190e624d2961145da9b8d1b2ae0a1800932502bb863d771993b6eb3fe537088dada5d7230643683ac5ef
-
SSDEEP
3072:FhOmTsF93UYfwC6GIoutrVCfMoh52waAyiJ8mqtbfUVKty16hDsI/tSvm:Fcm4FmowdHoS8fMoSVAHubPtyYxfT
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3944-19-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3496-13-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4636-6-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1152-30-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1152-36-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1676-37-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3960-43-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1660-49-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1580-55-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1968-65-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1880-75-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1276-88-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1520-93-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2864-98-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3392-104-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4716-119-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2172-118-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2496-126-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/804-132-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4620-140-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4424-153-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1548-159-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1364-166-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1624-172-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1696-178-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5032-186-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4808-193-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4076-197-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3240-203-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2868-222-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1304-229-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3628-237-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4640-252-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/964-266-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/264-267-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4572-275-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3136-285-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1996-289-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2000-299-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2484-321-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3024-323-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3036-326-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3404-336-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2292-344-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3648-358-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4424-364-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1896-375-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/636-391-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1928-405-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4748-434-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1148-441-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2988-454-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/368-458-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/688-495-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2244-509-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3000-516-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/812-584-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1044-588-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4792-616-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2308-637-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2716-658-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1492-694-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1468-710-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4532-959-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \??\c:\tnnhhb.exe family_berbew C:\vvpvv.exe family_berbew C:\9rlfffx.exe family_berbew C:\9rffxfr.exe family_berbew C:\tnbhbb.exe family_berbew \??\c:\vvvvp.exe family_berbew C:\rrxxffl.exe family_berbew C:\thhhbb.exe family_berbew C:\vdjvv.exe family_berbew C:\3rxrlxr.exe family_berbew C:\hhbtnh.exe family_berbew C:\frxxxlx.exe family_berbew C:\tttnhh.exe family_berbew C:\1bbhhh.exe family_berbew C:\vvvjj.exe family_berbew C:\xrfxllf.exe family_berbew C:\btbtbb.exe family_berbew C:\lfrxlrr.exe family_berbew \??\c:\ttbttt.exe family_berbew C:\bnnthh.exe family_berbew \??\c:\ddpjj.exe family_berbew C:\fxxrrll.exe family_berbew C:\nhnhnh.exe family_berbew C:\pjvpj.exe family_berbew \??\c:\xrxrlfx.exe family_berbew C:\frxrlfx.exe family_berbew C:\hbtnhb.exe family_berbew C:\jdjdd.exe family_berbew C:\ddvpp.exe family_berbew C:\frfxrrl.exe family_berbew C:\htnnhh.exe family_berbew C:\ntbbnh.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
tnnhhb.exevvpvv.exe9rlfffx.exe9rffxfr.exetnbhbb.exevvvvp.exerrxxffl.exethhhbb.exevdjvv.exe3rxrlxr.exehhbtnh.exefrxxxlx.exetttnhh.exe1bbhhh.exevvvjj.exexrfxllf.exebtbtbb.exelfrxlrr.exettbttt.exebnnthh.exeddpjj.exefxxrrll.exenhnhnh.exepjvpj.exexrxrlfx.exefrxrlfx.exehbtnhb.exejdjdd.exeddvpp.exefrfxrrl.exehtnnhh.exentbbnh.exevpvjv.exellrrrfl.exexxxfxxr.exe1bhbnn.exeppvjp.exeppvvj.exe9ffxrrl.exe9lfxrrr.exetnbtnn.exe3hnbtt.exe3djdv.exexrfffxr.exexlllffx.exehttnbt.exevdddv.exejdvpv.exerxfxfff.exenttbnh.exehbnbtn.exepjdvj.exerxfxrrr.exehnbbtb.exenntbtt.exejdvpv.exeddvjd.exe3flfrfr.exehnnhhh.exevjvpp.exepddvv.exe1xffxxx.exerllflfl.exe7bhnhb.exepid process 3436 tnnhhb.exe 3496 vvpvv.exe 3944 9rlfffx.exe 1772 9rffxfr.exe 1152 tnbhbb.exe 1676 vvvvp.exe 3960 rrxxffl.exe 1660 thhhbb.exe 1580 vdjvv.exe 1968 3rxrlxr.exe 3136 hhbtnh.exe 1880 frxxxlx.exe 2076 tttnhh.exe 1276 1bbhhh.exe 1520 vvvjj.exe 2864 xrfxllf.exe 3392 btbtbb.exe 4164 lfrxlrr.exe 2172 ttbttt.exe 4716 bnnthh.exe 2496 ddpjj.exe 804 fxxrrll.exe 4620 nhnhnh.exe 4608 pjvpj.exe 3932 xrxrlfx.exe 4424 frxrlfx.exe 1548 hbtnhb.exe 1364 jdjdd.exe 1624 ddvpp.exe 1696 frfxrrl.exe 5032 htnnhh.exe 636 ntbbnh.exe 4808 vpvjv.exe 4076 llrrrfl.exe 3240 xxxfxxr.exe 4244 1bhbnn.exe 1500 ppvjp.exe 3264 ppvvj.exe 4844 9ffxrrl.exe 4800 9lfxrrr.exe 2868 tnbtnn.exe 2156 3hnbtt.exe 1304 3djdv.exe 4748 xrfffxr.exe 2436 xlllffx.exe 3628 httnbt.exe 4792 vdddv.exe 3616 jdvpv.exe 4220 rxfxfff.exe 4640 nttbnh.exe 1152 hbnbtn.exe 1676 pjdvj.exe 3620 rxfxrrr.exe 964 hnbbtb.exe 264 nntbtt.exe 4572 jdvpv.exe 1256 ddvjd.exe 1852 3flfrfr.exe 3136 hnnhhh.exe 1996 vjvpp.exe 2388 pddvv.exe 1748 1xffxxx.exe 2000 rllflfl.exe 688 7bhnhb.exe -
Processes:
resource yara_rule behavioral2/memory/4636-0-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\tnnhhb.exe upx behavioral2/memory/3436-7-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\vvpvv.exe upx C:\9rlfffx.exe upx behavioral2/memory/3944-19-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9rffxfr.exe upx behavioral2/memory/3496-13-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4636-6-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tnbhbb.exe upx behavioral2/memory/1152-30-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1152-36-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1676-37-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\vvvvp.exe upx C:\rrxxffl.exe upx behavioral2/memory/3960-43-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\thhhbb.exe upx behavioral2/memory/1660-49-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\vdjvv.exe upx behavioral2/memory/1580-55-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3rxrlxr.exe upx behavioral2/memory/1968-61-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hhbtnh.exe upx behavioral2/memory/1968-65-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\frxxxlx.exe upx behavioral2/memory/1880-72-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tttnhh.exe upx behavioral2/memory/1880-75-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\1bbhhh.exe upx C:\vvvjj.exe upx behavioral2/memory/1276-88-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xrfxllf.exe upx behavioral2/memory/1520-93-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\btbtbb.exe upx behavioral2/memory/2864-98-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3392-104-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\lfrxlrr.exe upx behavioral2/memory/4164-106-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\ttbttt.exe upx behavioral2/memory/2172-112-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\bnnthh.exe upx behavioral2/memory/4716-119-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2172-118-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\ddpjj.exe upx behavioral2/memory/2496-126-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\fxxrrll.exe upx behavioral2/memory/804-132-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nhnhnh.exe upx behavioral2/memory/4620-140-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pjvpj.exe upx \??\c:\xrxrlfx.exe upx C:\frxrlfx.exe upx behavioral2/memory/4424-153-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hbtnhb.exe upx C:\jdjdd.exe upx behavioral2/memory/1548-159-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1364-166-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ddvpp.exe upx behavioral2/memory/1624-172-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\frfxrrl.exe upx behavioral2/memory/1696-178-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\htnnhh.exe upx behavioral2/memory/5032-186-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ntbbnh.exe upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exetnnhhb.exevvpvv.exe9rlfffx.exe9rffxfr.exetnbhbb.exevvvvp.exerrxxffl.exethhhbb.exevdjvv.exe3rxrlxr.exehhbtnh.exefrxxxlx.exetttnhh.exe1bbhhh.exevvvjj.exexrfxllf.exebtbtbb.exelfrxlrr.exettbttt.exebnnthh.exeddpjj.exedescription pid process target process PID 4636 wrote to memory of 3436 4636 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tnnhhb.exe PID 4636 wrote to memory of 3436 4636 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tnnhhb.exe PID 4636 wrote to memory of 3436 4636 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tnnhhb.exe PID 3436 wrote to memory of 3496 3436 tnnhhb.exe vvpvv.exe PID 3436 wrote to memory of 3496 3436 tnnhhb.exe vvpvv.exe PID 3436 wrote to memory of 3496 3436 tnnhhb.exe vvpvv.exe PID 3496 wrote to memory of 3944 3496 vvpvv.exe 9rlfffx.exe PID 3496 wrote to memory of 3944 3496 vvpvv.exe 9rlfffx.exe PID 3496 wrote to memory of 3944 3496 vvpvv.exe 9rlfffx.exe PID 3944 wrote to memory of 1772 3944 9rlfffx.exe 9rffxfr.exe PID 3944 wrote to memory of 1772 3944 9rlfffx.exe 9rffxfr.exe PID 3944 wrote to memory of 1772 3944 9rlfffx.exe 9rffxfr.exe PID 1772 wrote to memory of 1152 1772 9rffxfr.exe tnbhbb.exe PID 1772 wrote to memory of 1152 1772 9rffxfr.exe tnbhbb.exe PID 1772 wrote to memory of 1152 1772 9rffxfr.exe tnbhbb.exe PID 1152 wrote to memory of 1676 1152 tnbhbb.exe vvvvp.exe PID 1152 wrote to memory of 1676 1152 tnbhbb.exe vvvvp.exe PID 1152 wrote to memory of 1676 1152 tnbhbb.exe vvvvp.exe PID 1676 wrote to memory of 3960 1676 vvvvp.exe rrxxffl.exe PID 1676 wrote to memory of 3960 1676 vvvvp.exe rrxxffl.exe PID 1676 wrote to memory of 3960 1676 vvvvp.exe rrxxffl.exe PID 3960 wrote to memory of 1660 3960 rrxxffl.exe thhhbb.exe PID 3960 wrote to memory of 1660 3960 rrxxffl.exe thhhbb.exe PID 3960 wrote to memory of 1660 3960 rrxxffl.exe thhhbb.exe PID 1660 wrote to memory of 1580 1660 thhhbb.exe vdjvv.exe PID 1660 wrote to memory of 1580 1660 thhhbb.exe vdjvv.exe PID 1660 wrote to memory of 1580 1660 thhhbb.exe vdjvv.exe PID 1580 wrote to memory of 1968 1580 vdjvv.exe 3rxrlxr.exe PID 1580 wrote to memory of 1968 1580 vdjvv.exe 3rxrlxr.exe PID 1580 wrote to memory of 1968 1580 vdjvv.exe 3rxrlxr.exe PID 1968 wrote to memory of 3136 1968 3rxrlxr.exe hhbtnh.exe PID 1968 wrote to memory of 3136 1968 3rxrlxr.exe hhbtnh.exe PID 1968 wrote to memory of 3136 1968 3rxrlxr.exe hhbtnh.exe PID 3136 wrote to memory of 1880 3136 hhbtnh.exe frxxxlx.exe PID 3136 wrote to memory of 1880 3136 hhbtnh.exe frxxxlx.exe PID 3136 wrote to memory of 1880 3136 hhbtnh.exe frxxxlx.exe PID 1880 wrote to memory of 2076 1880 frxxxlx.exe tttnhh.exe PID 1880 wrote to memory of 2076 1880 frxxxlx.exe tttnhh.exe PID 1880 wrote to memory of 2076 1880 frxxxlx.exe tttnhh.exe PID 2076 wrote to memory of 1276 2076 tttnhh.exe 1bbhhh.exe PID 2076 wrote to memory of 1276 2076 tttnhh.exe 1bbhhh.exe PID 2076 wrote to memory of 1276 2076 tttnhh.exe 1bbhhh.exe PID 1276 wrote to memory of 1520 1276 1bbhhh.exe vvvjj.exe PID 1276 wrote to memory of 1520 1276 1bbhhh.exe vvvjj.exe PID 1276 wrote to memory of 1520 1276 1bbhhh.exe vvvjj.exe PID 1520 wrote to memory of 2864 1520 vvvjj.exe xrfxllf.exe PID 1520 wrote to memory of 2864 1520 vvvjj.exe xrfxllf.exe PID 1520 wrote to memory of 2864 1520 vvvjj.exe xrfxllf.exe PID 2864 wrote to memory of 3392 2864 xrfxllf.exe btbtbb.exe PID 2864 wrote to memory of 3392 2864 xrfxllf.exe btbtbb.exe PID 2864 wrote to memory of 3392 2864 xrfxllf.exe btbtbb.exe PID 3392 wrote to memory of 4164 3392 btbtbb.exe lfrxlrr.exe PID 3392 wrote to memory of 4164 3392 btbtbb.exe lfrxlrr.exe PID 3392 wrote to memory of 4164 3392 btbtbb.exe lfrxlrr.exe PID 4164 wrote to memory of 2172 4164 lfrxlrr.exe ttbttt.exe PID 4164 wrote to memory of 2172 4164 lfrxlrr.exe ttbttt.exe PID 4164 wrote to memory of 2172 4164 lfrxlrr.exe ttbttt.exe PID 2172 wrote to memory of 4716 2172 ttbttt.exe bnnthh.exe PID 2172 wrote to memory of 4716 2172 ttbttt.exe bnnthh.exe PID 2172 wrote to memory of 4716 2172 ttbttt.exe bnnthh.exe PID 4716 wrote to memory of 2496 4716 bnnthh.exe ddpjj.exe PID 4716 wrote to memory of 2496 4716 bnnthh.exe ddpjj.exe PID 4716 wrote to memory of 2496 4716 bnnthh.exe ddpjj.exe PID 2496 wrote to memory of 804 2496 ddpjj.exe fxxrrll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\tnnhhb.exec:\tnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\vvpvv.exec:\vvpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\9rlfffx.exec:\9rlfffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\9rffxfr.exec:\9rffxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\tnbhbb.exec:\tnbhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\vvvvp.exec:\vvvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\rrxxffl.exec:\rrxxffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\thhhbb.exec:\thhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\vdjvv.exec:\vdjvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\3rxrlxr.exec:\3rxrlxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\hhbtnh.exec:\hhbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\frxxxlx.exec:\frxxxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\tttnhh.exec:\tttnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\1bbhhh.exec:\1bbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\vvvjj.exec:\vvvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\xrfxllf.exec:\xrfxllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\btbtbb.exec:\btbtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\lfrxlrr.exec:\lfrxlrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\ttbttt.exec:\ttbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\bnnthh.exec:\bnnthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\ddpjj.exec:\ddpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\fxxrrll.exec:\fxxrrll.exe23⤵
- Executes dropped EXE
PID:804 -
\??\c:\nhnhnh.exec:\nhnhnh.exe24⤵
- Executes dropped EXE
PID:4620 -
\??\c:\pjvpj.exec:\pjvpj.exe25⤵
- Executes dropped EXE
PID:4608 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe26⤵
- Executes dropped EXE
PID:3932 -
\??\c:\frxrlfx.exec:\frxrlfx.exe27⤵
- Executes dropped EXE
PID:4424 -
\??\c:\hbtnhb.exec:\hbtnhb.exe28⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jdjdd.exec:\jdjdd.exe29⤵
- Executes dropped EXE
PID:1364 -
\??\c:\ddvpp.exec:\ddvpp.exe30⤵
- Executes dropped EXE
PID:1624 -
\??\c:\frfxrrl.exec:\frfxrrl.exe31⤵
- Executes dropped EXE
PID:1696 -
\??\c:\htnnhh.exec:\htnnhh.exe32⤵
- Executes dropped EXE
PID:5032 -
\??\c:\ntbbnh.exec:\ntbbnh.exe33⤵
- Executes dropped EXE
PID:636 -
\??\c:\vpvjv.exec:\vpvjv.exe34⤵
- Executes dropped EXE
PID:4808 -
\??\c:\llrrrfl.exec:\llrrrfl.exe35⤵
- Executes dropped EXE
PID:4076 -
\??\c:\xxxfxxr.exec:\xxxfxxr.exe36⤵
- Executes dropped EXE
PID:3240 -
\??\c:\1bhbnn.exec:\1bhbnn.exe37⤵
- Executes dropped EXE
PID:4244 -
\??\c:\ppvjp.exec:\ppvjp.exe38⤵
- Executes dropped EXE
PID:1500 -
\??\c:\ppvvj.exec:\ppvvj.exe39⤵
- Executes dropped EXE
PID:3264 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe40⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9lfxrrr.exec:\9lfxrrr.exe41⤵
- Executes dropped EXE
PID:4800 -
\??\c:\tnbtnn.exec:\tnbtnn.exe42⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3hnbtt.exec:\3hnbtt.exe43⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3djdv.exec:\3djdv.exe44⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xrfffxr.exec:\xrfffxr.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\xlllffx.exec:\xlllffx.exe46⤵
- Executes dropped EXE
PID:2436 -
\??\c:\httnbt.exec:\httnbt.exe47⤵
- Executes dropped EXE
PID:3628 -
\??\c:\vdddv.exec:\vdddv.exe48⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jdvpv.exec:\jdvpv.exe49⤵
- Executes dropped EXE
PID:3616 -
\??\c:\rxfxfff.exec:\rxfxfff.exe50⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nttbnh.exec:\nttbnh.exe51⤵
- Executes dropped EXE
PID:4640 -
\??\c:\hbnbtn.exec:\hbnbtn.exe52⤵
- Executes dropped EXE
PID:1152 -
\??\c:\pjdvj.exec:\pjdvj.exe53⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe54⤵
- Executes dropped EXE
PID:3620 -
\??\c:\hnbbtb.exec:\hnbbtb.exe55⤵
- Executes dropped EXE
PID:964 -
\??\c:\nntbtt.exec:\nntbtt.exe56⤵
- Executes dropped EXE
PID:264 -
\??\c:\jdvpv.exec:\jdvpv.exe57⤵
- Executes dropped EXE
PID:4572 -
\??\c:\ddvjd.exec:\ddvjd.exe58⤵
- Executes dropped EXE
PID:1256 -
\??\c:\3flfrfr.exec:\3flfrfr.exe59⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hnnhhh.exec:\hnnhhh.exe60⤵
- Executes dropped EXE
PID:3136 -
\??\c:\vjvpp.exec:\vjvpp.exe61⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pddvv.exec:\pddvv.exe62⤵
- Executes dropped EXE
PID:2388 -
\??\c:\1xffxxx.exec:\1xffxxx.exe63⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rllflfl.exec:\rllflfl.exe64⤵
- Executes dropped EXE
PID:2000 -
\??\c:\7bhnhb.exec:\7bhnhb.exe65⤵
- Executes dropped EXE
PID:688 -
\??\c:\jdpjd.exec:\jdpjd.exe66⤵PID:3592
-
\??\c:\xxxrxxf.exec:\xxxrxxf.exe67⤵PID:4804
-
\??\c:\hnhbtt.exec:\hnhbtt.exe68⤵PID:4732
-
\??\c:\bhbnhh.exec:\bhbnhh.exe69⤵PID:4492
-
\??\c:\vddjd.exec:\vddjd.exe70⤵PID:1232
-
\??\c:\lrrrlfx.exec:\lrrrlfx.exe71⤵PID:2484
-
\??\c:\rrfxxxr.exec:\rrfxxxr.exe72⤵PID:3024
-
\??\c:\9ntnnn.exec:\9ntnnn.exe73⤵PID:3036
-
\??\c:\httthh.exec:\httthh.exe74⤵PID:3624
-
\??\c:\ppvpj.exec:\ppvpj.exe75⤵PID:4948
-
\??\c:\djvpd.exec:\djvpd.exe76⤵PID:3404
-
\??\c:\lllfrfx.exec:\lllfrfx.exe77⤵PID:5052
-
\??\c:\hbthnn.exec:\hbthnn.exe78⤵PID:2292
-
\??\c:\bnnnnn.exec:\bnnnnn.exe79⤵PID:3884
-
\??\c:\flxxfxf.exec:\flxxfxf.exe80⤵PID:2256
-
\??\c:\rxlrlll.exec:\rxlrlll.exe81⤵PID:3880
-
\??\c:\btnhht.exec:\btnhht.exe82⤵PID:3648
-
\??\c:\djppj.exec:\djppj.exe83⤵PID:4424
-
\??\c:\lfxrllf.exec:\lfxrllf.exe84⤵PID:1548
-
\??\c:\3hnhhh.exec:\3hnhhh.exe85⤵PID:4872
-
\??\c:\nntnnn.exec:\nntnnn.exe86⤵PID:1896
-
\??\c:\jpvdj.exec:\jpvdj.exe87⤵PID:3552
-
\??\c:\jjjdd.exec:\jjjdd.exe88⤵PID:640
-
\??\c:\xxrlffx.exec:\xxrlffx.exe89⤵PID:800
-
\??\c:\5rxxllf.exec:\5rxxllf.exe90⤵PID:816
-
\??\c:\nnhbhh.exec:\nnhbhh.exe91⤵PID:636
-
\??\c:\5hhbtt.exec:\5hhbtt.exe92⤵PID:3560
-
\??\c:\vpvvv.exec:\vpvvv.exe93⤵PID:2780
-
\??\c:\vjdvp.exec:\vjdvp.exe94⤵PID:2508
-
\??\c:\9llfrrf.exec:\9llfrrf.exe95⤵PID:1928
-
\??\c:\xlfrlxr.exec:\xlfrlxr.exe96⤵PID:4632
-
\??\c:\thhhbt.exec:\thhhbt.exe97⤵PID:3264
-
\??\c:\7nhnhn.exec:\7nhnhn.exe98⤵PID:4196
-
\??\c:\vjjdd.exec:\vjjdd.exe99⤵PID:1904
-
\??\c:\frxfrfx.exec:\frxfrfx.exe100⤵PID:3856
-
\??\c:\rxffxxx.exec:\rxffxxx.exe101⤵PID:4612
-
\??\c:\ntttnn.exec:\ntttnn.exe102⤵PID:3512
-
\??\c:\btttnn.exec:\btttnn.exe103⤵PID:4748
-
\??\c:\pddvp.exec:\pddvp.exe104⤵PID:3944
-
\??\c:\xrxfrfx.exec:\xrxfrfx.exe105⤵PID:4028
-
\??\c:\rlrlflf.exec:\rlrlflf.exe106⤵PID:4596
-
\??\c:\bhnbbt.exec:\bhnbbt.exe107⤵PID:1148
-
\??\c:\vvvvp.exec:\vvvvp.exe108⤵PID:3740
-
\??\c:\dpdvj.exec:\dpdvj.exe109⤵PID:4988
-
\??\c:\rffrrrl.exec:\rffrrrl.exe110⤵PID:2988
-
\??\c:\9rfxfxr.exec:\9rfxfxr.exe111⤵PID:368
-
\??\c:\nnhhbh.exec:\nnhhbh.exe112⤵PID:1888
-
\??\c:\fllffff.exec:\fllffff.exe113⤵PID:1872
-
\??\c:\lxrlllf.exec:\lxrlllf.exe114⤵PID:2992
-
\??\c:\thbtnn.exec:\thbtnn.exe115⤵PID:1948
-
\??\c:\dvvvp.exec:\dvvvp.exe116⤵PID:652
-
\??\c:\rlrlllr.exec:\rlrlllr.exe117⤵PID:2672
-
\??\c:\xfffflf.exec:\xfffflf.exe118⤵PID:3344
-
\??\c:\nbnbbh.exec:\nbnbbh.exe119⤵PID:4372
-
\??\c:\jdddv.exec:\jdddv.exe120⤵PID:4940
-
\??\c:\xrlfxfx.exec:\xrlfxfx.exe121⤵PID:1520
-
\??\c:\nntnbb.exec:\nntnbb.exe122⤵PID:2116
-
\??\c:\thbnbh.exec:\thbnbh.exe123⤵PID:688
-
\??\c:\dvvpj.exec:\dvvpj.exe124⤵PID:3592
-
\??\c:\jjjjv.exec:\jjjjv.exe125⤵PID:4828
-
\??\c:\rlrfrfx.exec:\rlrfrfx.exe126⤵PID:1504
-
\??\c:\nhhbtt.exec:\nhhbtt.exe127⤵PID:3196
-
\??\c:\dpvpj.exec:\dpvpj.exe128⤵PID:2244
-
\??\c:\vjvvj.exec:\vjvvj.exe129⤵PID:3000
-
\??\c:\frfxlrl.exec:\frfxlrl.exe130⤵PID:2172
-
\??\c:\5hnnhn.exec:\5hnnhn.exe131⤵PID:4468
-
\??\c:\nbntnn.exec:\nbntnn.exe132⤵PID:1468
-
\??\c:\dvvvp.exec:\dvvvp.exe133⤵PID:2888
-
\??\c:\3pjjj.exec:\3pjjj.exe134⤵PID:4472
-
\??\c:\1xxrllf.exec:\1xxrllf.exe135⤵PID:4512
-
\??\c:\hnbhhb.exec:\hnbhhb.exe136⤵PID:5088
-
\??\c:\vpjdp.exec:\vpjdp.exe137⤵PID:4864
-
\??\c:\5vpjd.exec:\5vpjd.exe138⤵PID:4552
-
\??\c:\xxrlffx.exec:\xxrlffx.exe139⤵PID:4704
-
\??\c:\9bnhhh.exec:\9bnhhh.exe140⤵PID:4908
-
\??\c:\hbbtnn.exec:\hbbtnn.exe141⤵PID:3524
-
\??\c:\dpjpj.exec:\dpjpj.exe142⤵PID:2364
-
\??\c:\jdvpj.exec:\jdvpj.exe143⤵PID:3084
-
\??\c:\rrlrfrf.exec:\rrlrfrf.exe144⤵PID:1696
-
\??\c:\bbtthn.exec:\bbtthn.exe145⤵PID:4032
-
\??\c:\dvpjd.exec:\dvpjd.exe146⤵PID:2200
-
\??\c:\rlrrllf.exec:\rlrrllf.exe147⤵PID:3480
-
\??\c:\fffxlfx.exec:\fffxlfx.exe148⤵PID:3832
-
\??\c:\htbnbt.exec:\htbnbt.exe149⤵PID:4808
-
\??\c:\jvvpj.exec:\jvvpj.exe150⤵PID:4076
-
\??\c:\rfrrxlf.exec:\rfrrxlf.exe151⤵PID:812
-
\??\c:\bhnhbb.exec:\bhnhbb.exe152⤵PID:1044
-
\??\c:\jpvvp.exec:\jpvvp.exe153⤵PID:1384
-
\??\c:\dvvpj.exec:\dvvpj.exe154⤵PID:2748
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe155⤵PID:1768
-
\??\c:\hbthbt.exec:\hbthbt.exe156⤵PID:676
-
\??\c:\bthhbb.exec:\bthhbb.exe157⤵PID:4452
-
\??\c:\djvvp.exec:\djvvp.exe158⤵PID:1684
-
\??\c:\xflfxxx.exec:\xflfxxx.exe159⤵PID:3436
-
\??\c:\xlrlffx.exec:\xlrlffx.exe160⤵PID:4876
-
\??\c:\7tnnnb.exec:\7tnnnb.exe161⤵PID:4792
-
\??\c:\jpdjv.exec:\jpdjv.exe162⤵PID:1772
-
\??\c:\rfrfxrf.exec:\rfrfxrf.exe163⤵PID:4596
-
\??\c:\fxllffl.exec:\fxllffl.exe164⤵PID:1148
-
\??\c:\bnnnhh.exec:\bnnnhh.exe165⤵PID:2760
-
\??\c:\nnbtnn.exec:\nnbtnn.exe166⤵PID:4136
-
\??\c:\5jppj.exec:\5jppj.exe167⤵PID:2308
-
\??\c:\pvddp.exec:\pvddp.exe168⤵PID:4604
-
\??\c:\xfrxxlr.exec:\xfrxxlr.exe169⤵PID:708
-
\??\c:\rlrlffx.exec:\rlrlffx.exe170⤵PID:3468
-
\??\c:\htbbbb.exec:\htbbbb.exe171⤵PID:3844
-
\??\c:\vjpjj.exec:\vjpjj.exe172⤵PID:4484
-
\??\c:\dvddv.exec:\dvddv.exe173⤵PID:2716
-
\??\c:\flrlfff.exec:\flrlfff.exe174⤵PID:1880
-
\??\c:\xrlxrrl.exec:\xrlxrrl.exe175⤵PID:2388
-
\??\c:\nhttbb.exec:\nhttbb.exe176⤵PID:2564
-
\??\c:\hntnnh.exec:\hntnnh.exe177⤵PID:2908
-
\??\c:\djvpj.exec:\djvpj.exe178⤵PID:2676
-
\??\c:\llrlflf.exec:\llrlflf.exe179⤵PID:3268
-
\??\c:\llxrrrr.exec:\llxrrrr.exe180⤵PID:4104
-
\??\c:\nnbhbb.exec:\nnbhbb.exe181⤵PID:4536
-
\??\c:\9hnnhh.exec:\9hnnhh.exe182⤵PID:3392
-
\??\c:\djpjp.exec:\djpjp.exe183⤵PID:4492
-
\??\c:\9pppd.exec:\9pppd.exe184⤵PID:3052
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe185⤵PID:1492
-
\??\c:\tntnnn.exec:\tntnnn.exe186⤵PID:1572
-
\??\c:\dvjjd.exec:\dvjjd.exe187⤵PID:2560
-
\??\c:\jpdvp.exec:\jpdvp.exe188⤵PID:4468
-
\??\c:\frxxllf.exec:\frxxllf.exe189⤵PID:1468
-
\??\c:\btthbb.exec:\btthbb.exe190⤵PID:2036
-
\??\c:\ntbtnn.exec:\ntbtnn.exe191⤵PID:756
-
\??\c:\pjjdj.exec:\pjjdj.exe192⤵PID:2800
-
\??\c:\dddvp.exec:\dddvp.exe193⤵PID:388
-
\??\c:\rfrlxfx.exec:\rfrlxfx.exe194⤵PID:5108
-
\??\c:\xrllrrl.exec:\xrllrrl.exe195⤵PID:2188
-
\??\c:\nhhtnt.exec:\nhhtnt.exe196⤵PID:1188
-
\??\c:\9pjjv.exec:\9pjjv.exe197⤵PID:2372
-
\??\c:\dpdvp.exec:\dpdvp.exe198⤵PID:1708
-
\??\c:\frlfxrl.exec:\frlfxrl.exe199⤵PID:2696
-
\??\c:\nhhbhb.exec:\nhhbhb.exe200⤵PID:2148
-
\??\c:\tttthh.exec:\tttthh.exe201⤵PID:1696
-
\??\c:\vvjpp.exec:\vvjpp.exe202⤵PID:4032
-
\??\c:\vppjj.exec:\vppjj.exe203⤵PID:2200
-
\??\c:\vvddv.exec:\vvddv.exe204⤵PID:1836
-
\??\c:\lrxrlff.exec:\lrxrlff.exe205⤵PID:2120
-
\??\c:\nhhbnn.exec:\nhhbnn.exe206⤵PID:3240
-
\??\c:\btnnbb.exec:\btnnbb.exe207⤵PID:4076
-
\??\c:\thnhtt.exec:\thnhtt.exe208⤵PID:812
-
\??\c:\5dddp.exec:\5dddp.exe209⤵PID:1804
-
\??\c:\rffxxll.exec:\rffxxll.exe210⤵PID:2596
-
\??\c:\rfxxxrr.exec:\rfxxxrr.exe211⤵PID:1384
-
\??\c:\xrrrlll.exec:\xrrrlll.exe212⤵PID:1768
-
\??\c:\ttbttt.exec:\ttbttt.exe213⤵PID:2156
-
\??\c:\5jppj.exec:\5jppj.exe214⤵PID:3292
-
\??\c:\vpdvv.exec:\vpdvv.exe215⤵PID:3628
-
\??\c:\ffrflfl.exec:\ffrflfl.exe216⤵PID:2436
-
\??\c:\bnnhhn.exec:\bnnhhn.exe217⤵PID:4876
-
\??\c:\nbnnnn.exec:\nbnnnn.exe218⤵PID:4332
-
\??\c:\pjddv.exec:\pjddv.exe219⤵PID:4436
-
\??\c:\fllffff.exec:\fllffff.exe220⤵PID:4064
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe221⤵PID:3316
-
\??\c:\1bhbtb.exec:\1bhbtb.exe222⤵PID:3764
-
\??\c:\htthtt.exec:\htthtt.exe223⤵PID:4892
-
\??\c:\dvdvd.exec:\dvdvd.exe224⤵PID:748
-
\??\c:\djppd.exec:\djppd.exe225⤵PID:3060
-
\??\c:\rrrxllf.exec:\rrrxllf.exe226⤵PID:2992
-
\??\c:\frxrlrl.exec:\frxrlrl.exe227⤵PID:3136
-
\??\c:\nhbbtn.exec:\nhbbtn.exe228⤵PID:4484
-
\??\c:\pjjjd.exec:\pjjjd.exe229⤵PID:4724
-
\??\c:\jjdjd.exec:\jjdjd.exe230⤵PID:540
-
\??\c:\9lrlflf.exec:\9lrlflf.exe231⤵PID:2388
-
\??\c:\xllxrxr.exec:\xllxrxr.exe232⤵PID:1176
-
\??\c:\hbbtnh.exec:\hbbtnh.exe233⤵PID:5100
-
\??\c:\nhtnbb.exec:\nhtnbb.exe234⤵PID:1988
-
\??\c:\vjjdv.exec:\vjjdv.exe235⤵PID:3268
-
\??\c:\fxllllr.exec:\fxllllr.exe236⤵PID:4104
-
\??\c:\xlrlllf.exec:\xlrlllf.exe237⤵PID:4536
-
\??\c:\xrxfxll.exec:\xrxfxll.exe238⤵PID:1232
-
\??\c:\nbnhhh.exec:\nbnhhh.exe239⤵PID:4492
-
\??\c:\djpdv.exec:\djpdv.exe240⤵PID:3024
-
\??\c:\jjdvp.exec:\jjdvp.exe241⤵PID:916
-
\??\c:\lfxrllf.exec:\lfxrllf.exe242⤵PID:2352