Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 03:17
Behavioral task
behavioral1
Sample
74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe
-
Size
350KB
-
MD5
74d315593d0698cc3704734373cdc740
-
SHA1
2f07b0083657ecd18d96209bacc3f5b4dec6b455
-
SHA256
7491da5eadf5fb75583ad6d1203c15a11d793d59e61d86fb56299d4573892e3a
-
SHA512
0528109ec757f7edeea28c60ee313cff1c23c7cafa072ef3551d847f84a2236f62a60333cdef1539a2e9d9d1de34e079d1508d9976482eeaeab4616701935119
-
SSDEEP
6144:dcm4FmowdHoSNjAszBd+aQz0ZUx2w/ZmTH1R5h2VaHjmVQh5W6z0OJ0HPopxyzuc:f4wFHoSN1zBjAGUx2w/q1R5h2VumVQhy
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/804-5-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1616-13-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2960-20-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2876-30-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1692-32-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3980-41-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1928-48-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1768-58-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4912-61-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/672-71-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2184-77-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3576-78-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/5004-87-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3668-91-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4768-100-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2808-106-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3112-109-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4224-114-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1572-121-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3268-129-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/704-143-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1820-158-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2376-166-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4748-174-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2964-182-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3096-184-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4504-192-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1492-193-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3200-203-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4368-204-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4164-211-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/804-227-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/5096-232-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1312-235-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1312-239-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1704-243-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4004-250-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4128-258-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/748-262-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2932-271-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2920-276-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4588-279-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4552-293-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3232-295-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3296-301-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3108-317-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/5052-327-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2036-343-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/516-353-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2712-370-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1732-386-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4376-405-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4664-415-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4724-423-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2740-436-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2740-439-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1928-446-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2640-448-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/2520-490-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1888-650-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/4332-668-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1264-739-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/3692-777-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon behavioral2/memory/1616-879-0x0000000000400000-0x0000000000431000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\vvpjj.exe family_berbew \??\c:\lrrllll.exe family_berbew C:\bhhnhn.exe family_berbew C:\ddvpv.exe family_berbew C:\thhhhn.exe family_berbew C:\hbbtnn.exe family_berbew C:\3rxlffr.exe family_berbew C:\pdvvp.exe family_berbew C:\xrlxflr.exe family_berbew C:\ttnnhb.exe family_berbew C:\ddddv.exe family_berbew \??\c:\nnnnnn.exe family_berbew C:\dvpjd.exe family_berbew C:\hnhbbh.exe family_berbew C:\jpvjd.exe family_berbew C:\xrflllf.exe family_berbew C:\ppppp.exe family_berbew \??\c:\nhnhbb.exe family_berbew C:\bbhbtt.exe family_berbew C:\dddpp.exe family_berbew C:\flrrxxx.exe family_berbew C:\jjjvp.exe family_berbew C:\9xrlllf.exe family_berbew C:\dpddv.exe family_berbew C:\dpdvp.exe family_berbew C:\xlxllff.exe family_berbew C:\nhhhbt.exe family_berbew C:\3rxrrrr.exe family_berbew C:\nnhbnn.exe family_berbew C:\pjvpp.exe family_berbew C:\lxfxxrr.exe family_berbew \??\c:\3btntt.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
vvpjj.exelrrllll.exebhhnhn.exeddvpv.exethhhhn.exehbbtnn.exe3rxlffr.exepdvvp.exexrlxflr.exettnnhb.exeddddv.exennnnnn.exedvpjd.exehnhbbh.exejpvjd.exexrflllf.exeppppp.exenhnhbb.exebbhbtt.exedddpp.exeflrrxxx.exejjjvp.exe9xrlllf.exedpddv.exedpdvp.exexlxllff.exenhhhbt.exe3rxrrrr.exennhbnn.exepjvpp.exelxfxxrr.exe3btntt.exefxffxff.exetnbtbb.exe1dpjj.exejvjdv.exelxfflxr.exenbnnhn.exejjddv.exelrrrrxf.exexffxxrl.exebnthhh.exelllfxxx.exentbtnn.exevppjd.exevdppj.exelllfxxr.exehhtnhh.exe5jjjj.exe5xlfrrr.exerfrrllf.exettbbbh.exedjppv.exe9rxxxxx.exenbtbtt.exenbbbbh.exeddvvd.exexlrlllf.exebtbnhh.exepvvpp.exe5djjd.exe3lfxxxr.exebhhhht.exennnhhb.exepid process 1616 vvpjj.exe 2996 lrrllll.exe 2960 bhhnhn.exe 1692 ddvpv.exe 2876 thhhhn.exe 3980 hbbtnn.exe 3600 3rxlffr.exe 1928 pdvvp.exe 1768 xrlxflr.exe 4912 ttnnhb.exe 672 ddddv.exe 2184 nnnnnn.exe 3576 dvpjd.exe 5004 hnhbbh.exe 3668 jpvjd.exe 4768 xrflllf.exe 2808 ppppp.exe 3112 nhnhbb.exe 4224 bbhbtt.exe 1572 dddpp.exe 3268 flrrxxx.exe 528 jjjvp.exe 5040 9xrlllf.exe 704 dpddv.exe 2408 dpdvp.exe 1820 xlxllff.exe 2000 nhhhbt.exe 2376 3rxrrrr.exe 4748 nnhbnn.exe 2964 pjvpp.exe 3096 lxfxxrr.exe 4504 3btntt.exe 1492 fxffxff.exe 964 tnbtbb.exe 3200 1dpjj.exe 4368 jvjdv.exe 4164 lxfflxr.exe 4524 nbnnhn.exe 4712 jjddv.exe 4372 lrrrrxf.exe 1076 xffxxrl.exe 804 bnthhh.exe 3256 lllfxxx.exe 5096 ntbtnn.exe 1312 vppjd.exe 1704 vdppj.exe 3848 lllfxxr.exe 4004 hhtnhh.exe 5084 5jjjj.exe 976 5xlfrrr.exe 4128 rfrrllf.exe 748 ttbbbh.exe 4856 djppv.exe 2932 9rxxxxx.exe 3860 nbtbtt.exe 2920 nbbbbh.exe 4588 ddvvd.exe 4396 xlrlllf.exe 4884 btbnhh.exe 4552 pvvpp.exe 3232 5djjd.exe 3296 3lfxxxr.exe 2228 bhhhht.exe 544 nnnhhb.exe -
Processes:
resource yara_rule behavioral2/memory/804-0-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\vvpjj.exe upx behavioral2/memory/1616-6-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/804-5-0x0000000000400000-0x0000000000431000-memory.dmp upx \??\c:\lrrllll.exe upx behavioral2/memory/1616-13-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\bhhnhn.exe upx behavioral2/memory/2960-20-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\ddvpv.exe upx C:\thhhhn.exe upx behavioral2/memory/2876-30-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/1692-32-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\hbbtnn.exe upx C:\3rxlffr.exe upx behavioral2/memory/3980-41-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\pdvvp.exe upx behavioral2/memory/1928-48-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\xrlxflr.exe upx C:\ttnnhb.exe upx behavioral2/memory/1768-58-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4912-61-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\ddddv.exe upx behavioral2/memory/672-71-0x0000000000400000-0x0000000000431000-memory.dmp upx \??\c:\nnnnnn.exe upx C:\dvpjd.exe upx behavioral2/memory/2184-77-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3576-78-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\hnhbbh.exe upx behavioral2/memory/5004-87-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\jpvjd.exe upx behavioral2/memory/3668-91-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\xrflllf.exe upx C:\ppppp.exe upx behavioral2/memory/4768-100-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/2808-106-0x0000000000400000-0x0000000000431000-memory.dmp upx \??\c:\nhnhbb.exe upx behavioral2/memory/3112-109-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\bbhbtt.exe upx behavioral2/memory/4224-114-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\dddpp.exe upx behavioral2/memory/1572-121-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\flrrxxx.exe upx C:\jjjvp.exe upx behavioral2/memory/3268-129-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\9xrlllf.exe upx C:\dpddv.exe upx behavioral2/memory/704-143-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\dpdvp.exe upx C:\xlxllff.exe upx C:\nhhhbt.exe upx behavioral2/memory/1820-158-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/2000-159-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\3rxrrrr.exe upx behavioral2/memory/2376-166-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\nnhbnn.exe upx behavioral2/memory/4748-174-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\pjvpp.exe upx C:\lxfxxrr.exe upx behavioral2/memory/2964-182-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3096-184-0x0000000000400000-0x0000000000431000-memory.dmp upx \??\c:\3btntt.exe upx behavioral2/memory/4504-192-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/1492-193-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3200-203-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
74d315593d0698cc3704734373cdc740_NeikiAnalytics.exevvpjj.exelrrllll.exebhhnhn.exeddvpv.exethhhhn.exehbbtnn.exe3rxlffr.exepdvvp.exexrlxflr.exettnnhb.exeddddv.exennnnnn.exedvpjd.exehnhbbh.exejpvjd.exexrflllf.exeppppp.exenhnhbb.exebbhbtt.exedddpp.exeflrrxxx.exedescription pid process target process PID 804 wrote to memory of 1616 804 74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe vvpjj.exe PID 804 wrote to memory of 1616 804 74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe vvpjj.exe PID 804 wrote to memory of 1616 804 74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe vvpjj.exe PID 1616 wrote to memory of 2996 1616 vvpjj.exe lrrllll.exe PID 1616 wrote to memory of 2996 1616 vvpjj.exe lrrllll.exe PID 1616 wrote to memory of 2996 1616 vvpjj.exe lrrllll.exe PID 2996 wrote to memory of 2960 2996 lrrllll.exe bhhnhn.exe PID 2996 wrote to memory of 2960 2996 lrrllll.exe bhhnhn.exe PID 2996 wrote to memory of 2960 2996 lrrllll.exe bhhnhn.exe PID 2960 wrote to memory of 1692 2960 bhhnhn.exe ddvpv.exe PID 2960 wrote to memory of 1692 2960 bhhnhn.exe ddvpv.exe PID 2960 wrote to memory of 1692 2960 bhhnhn.exe ddvpv.exe PID 1692 wrote to memory of 2876 1692 ddvpv.exe thhhhn.exe PID 1692 wrote to memory of 2876 1692 ddvpv.exe thhhhn.exe PID 1692 wrote to memory of 2876 1692 ddvpv.exe thhhhn.exe PID 2876 wrote to memory of 3980 2876 thhhhn.exe hbbtnn.exe PID 2876 wrote to memory of 3980 2876 thhhhn.exe hbbtnn.exe PID 2876 wrote to memory of 3980 2876 thhhhn.exe hbbtnn.exe PID 3980 wrote to memory of 3600 3980 hbbtnn.exe 3rxlffr.exe PID 3980 wrote to memory of 3600 3980 hbbtnn.exe 3rxlffr.exe PID 3980 wrote to memory of 3600 3980 hbbtnn.exe 3rxlffr.exe PID 3600 wrote to memory of 1928 3600 3rxlffr.exe pdvvp.exe PID 3600 wrote to memory of 1928 3600 3rxlffr.exe pdvvp.exe PID 3600 wrote to memory of 1928 3600 3rxlffr.exe pdvvp.exe PID 1928 wrote to memory of 1768 1928 pdvvp.exe xrlxflr.exe PID 1928 wrote to memory of 1768 1928 pdvvp.exe xrlxflr.exe PID 1928 wrote to memory of 1768 1928 pdvvp.exe xrlxflr.exe PID 1768 wrote to memory of 4912 1768 xrlxflr.exe ttnnhb.exe PID 1768 wrote to memory of 4912 1768 xrlxflr.exe ttnnhb.exe PID 1768 wrote to memory of 4912 1768 xrlxflr.exe ttnnhb.exe PID 4912 wrote to memory of 672 4912 ttnnhb.exe ddddv.exe PID 4912 wrote to memory of 672 4912 ttnnhb.exe ddddv.exe PID 4912 wrote to memory of 672 4912 ttnnhb.exe ddddv.exe PID 672 wrote to memory of 2184 672 ddddv.exe nnnnnn.exe PID 672 wrote to memory of 2184 672 ddddv.exe nnnnnn.exe PID 672 wrote to memory of 2184 672 ddddv.exe nnnnnn.exe PID 2184 wrote to memory of 3576 2184 nnnnnn.exe dvpjd.exe PID 2184 wrote to memory of 3576 2184 nnnnnn.exe dvpjd.exe PID 2184 wrote to memory of 3576 2184 nnnnnn.exe dvpjd.exe PID 3576 wrote to memory of 5004 3576 dvpjd.exe hnhbbh.exe PID 3576 wrote to memory of 5004 3576 dvpjd.exe hnhbbh.exe PID 3576 wrote to memory of 5004 3576 dvpjd.exe hnhbbh.exe PID 5004 wrote to memory of 3668 5004 hnhbbh.exe jpvjd.exe PID 5004 wrote to memory of 3668 5004 hnhbbh.exe jpvjd.exe PID 5004 wrote to memory of 3668 5004 hnhbbh.exe jpvjd.exe PID 3668 wrote to memory of 4768 3668 jpvjd.exe xrflllf.exe PID 3668 wrote to memory of 4768 3668 jpvjd.exe xrflllf.exe PID 3668 wrote to memory of 4768 3668 jpvjd.exe xrflllf.exe PID 4768 wrote to memory of 2808 4768 xrflllf.exe ppppp.exe PID 4768 wrote to memory of 2808 4768 xrflllf.exe ppppp.exe PID 4768 wrote to memory of 2808 4768 xrflllf.exe ppppp.exe PID 2808 wrote to memory of 3112 2808 ppppp.exe nhnhbb.exe PID 2808 wrote to memory of 3112 2808 ppppp.exe nhnhbb.exe PID 2808 wrote to memory of 3112 2808 ppppp.exe nhnhbb.exe PID 3112 wrote to memory of 4224 3112 nhnhbb.exe bbhbtt.exe PID 3112 wrote to memory of 4224 3112 nhnhbb.exe bbhbtt.exe PID 3112 wrote to memory of 4224 3112 nhnhbb.exe bbhbtt.exe PID 4224 wrote to memory of 1572 4224 bbhbtt.exe dddpp.exe PID 4224 wrote to memory of 1572 4224 bbhbtt.exe dddpp.exe PID 4224 wrote to memory of 1572 4224 bbhbtt.exe dddpp.exe PID 1572 wrote to memory of 3268 1572 dddpp.exe flrrxxx.exe PID 1572 wrote to memory of 3268 1572 dddpp.exe flrrxxx.exe PID 1572 wrote to memory of 3268 1572 dddpp.exe flrrxxx.exe PID 3268 wrote to memory of 528 3268 flrrxxx.exe jjjvp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\74d315593d0698cc3704734373cdc740_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\vvpjj.exec:\vvpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\lrrllll.exec:\lrrllll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bhhnhn.exec:\bhhnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\ddvpv.exec:\ddvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\thhhhn.exec:\thhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\hbbtnn.exec:\hbbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\3rxlffr.exec:\3rxlffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\pdvvp.exec:\pdvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\xrlxflr.exec:\xrlxflr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\ttnnhb.exec:\ttnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\ddddv.exec:\ddddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\nnnnnn.exec:\nnnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\dvpjd.exec:\dvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\hnhbbh.exec:\hnhbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\jpvjd.exec:\jpvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\xrflllf.exec:\xrflllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\ppppp.exec:\ppppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nhnhbb.exec:\nhnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\bbhbtt.exec:\bbhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\dddpp.exec:\dddpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\flrrxxx.exec:\flrrxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\jjjvp.exec:\jjjvp.exe23⤵
- Executes dropped EXE
PID:528 -
\??\c:\9xrlllf.exec:\9xrlllf.exe24⤵
- Executes dropped EXE
PID:5040 -
\??\c:\dpddv.exec:\dpddv.exe25⤵
- Executes dropped EXE
PID:704 -
\??\c:\dpdvp.exec:\dpdvp.exe26⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xlxllff.exec:\xlxllff.exe27⤵
- Executes dropped EXE
PID:1820 -
\??\c:\nhhhbt.exec:\nhhhbt.exe28⤵
- Executes dropped EXE
PID:2000 -
\??\c:\3rxrrrr.exec:\3rxrrrr.exe29⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nnhbnn.exec:\nnhbnn.exe30⤵
- Executes dropped EXE
PID:4748 -
\??\c:\pjvpp.exec:\pjvpp.exe31⤵
- Executes dropped EXE
PID:2964 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe32⤵
- Executes dropped EXE
PID:3096 -
\??\c:\3btntt.exec:\3btntt.exe33⤵
- Executes dropped EXE
PID:4504 -
\??\c:\fxffxff.exec:\fxffxff.exe34⤵
- Executes dropped EXE
PID:1492 -
\??\c:\tnbtbb.exec:\tnbtbb.exe35⤵
- Executes dropped EXE
PID:964 -
\??\c:\1dpjj.exec:\1dpjj.exe36⤵
- Executes dropped EXE
PID:3200 -
\??\c:\jvjdv.exec:\jvjdv.exe37⤵
- Executes dropped EXE
PID:4368 -
\??\c:\lxfflxr.exec:\lxfflxr.exe38⤵
- Executes dropped EXE
PID:4164 -
\??\c:\nbnnhn.exec:\nbnnhn.exe39⤵
- Executes dropped EXE
PID:4524 -
\??\c:\jjddv.exec:\jjddv.exe40⤵
- Executes dropped EXE
PID:4712 -
\??\c:\lrrrrxf.exec:\lrrrrxf.exe41⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xffxxrl.exec:\xffxxrl.exe42⤵
- Executes dropped EXE
PID:1076 -
\??\c:\bnthhh.exec:\bnthhh.exe43⤵
- Executes dropped EXE
PID:804 -
\??\c:\lllfxxx.exec:\lllfxxx.exe44⤵
- Executes dropped EXE
PID:3256 -
\??\c:\ntbtnn.exec:\ntbtnn.exe45⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vppjd.exec:\vppjd.exe46⤵
- Executes dropped EXE
PID:1312 -
\??\c:\vdppj.exec:\vdppj.exe47⤵
- Executes dropped EXE
PID:1704 -
\??\c:\lllfxxr.exec:\lllfxxr.exe48⤵
- Executes dropped EXE
PID:3848 -
\??\c:\hhtnhh.exec:\hhtnhh.exe49⤵
- Executes dropped EXE
PID:4004 -
\??\c:\5jjjj.exec:\5jjjj.exe50⤵
- Executes dropped EXE
PID:5084 -
\??\c:\5xlfrrr.exec:\5xlfrrr.exe51⤵
- Executes dropped EXE
PID:976 -
\??\c:\rfrrllf.exec:\rfrrllf.exe52⤵
- Executes dropped EXE
PID:4128 -
\??\c:\ttbbbh.exec:\ttbbbh.exe53⤵
- Executes dropped EXE
PID:748 -
\??\c:\djppv.exec:\djppv.exe54⤵
- Executes dropped EXE
PID:4856 -
\??\c:\9rxxxxx.exec:\9rxxxxx.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\nbtbtt.exec:\nbtbtt.exe56⤵
- Executes dropped EXE
PID:3860 -
\??\c:\nbbbbh.exec:\nbbbbh.exe57⤵
- Executes dropped EXE
PID:2920 -
\??\c:\ddvvd.exec:\ddvvd.exe58⤵
- Executes dropped EXE
PID:4588 -
\??\c:\xlrlllf.exec:\xlrlllf.exe59⤵
- Executes dropped EXE
PID:4396 -
\??\c:\btbnhh.exec:\btbnhh.exe60⤵
- Executes dropped EXE
PID:4884 -
\??\c:\pvvpp.exec:\pvvpp.exe61⤵
- Executes dropped EXE
PID:4552 -
\??\c:\5djjd.exec:\5djjd.exe62⤵
- Executes dropped EXE
PID:3232 -
\??\c:\3lfxxxr.exec:\3lfxxxr.exe63⤵
- Executes dropped EXE
PID:3296 -
\??\c:\bhhhht.exec:\bhhhht.exe64⤵
- Executes dropped EXE
PID:2228 -
\??\c:\nnnhhb.exec:\nnnhhb.exe65⤵
- Executes dropped EXE
PID:544 -
\??\c:\jpppj.exec:\jpppj.exe66⤵PID:1064
-
\??\c:\llrrrrr.exec:\llrrrrr.exe67⤵PID:3236
-
\??\c:\fffxrrr.exec:\fffxrrr.exe68⤵PID:1848
-
\??\c:\tbtttt.exec:\tbtttt.exe69⤵PID:3108
-
\??\c:\9vvvv.exec:\9vvvv.exe70⤵PID:2540
-
\??\c:\pjvjd.exec:\pjvjd.exe71⤵PID:64
-
\??\c:\frxrfrr.exec:\frxrfrr.exe72⤵PID:5052
-
\??\c:\hbbthh.exec:\hbbthh.exe73⤵PID:3268
-
\??\c:\7ntbbt.exec:\7ntbbt.exe74⤵PID:1900
-
\??\c:\pppjd.exec:\pppjd.exe75⤵PID:4220
-
\??\c:\vpvpv.exec:\vpvpv.exe76⤵PID:2036
-
\??\c:\fflllfl.exec:\fflllfl.exe77⤵PID:884
-
\??\c:\nhhhbn.exec:\nhhhbn.exe78⤵PID:2408
-
\??\c:\pdvpv.exec:\pdvpv.exe79⤵PID:1084
-
\??\c:\pjjjj.exec:\pjjjj.exe80⤵PID:516
-
\??\c:\xflrlxx.exec:\xflrlxx.exe81⤵PID:2944
-
\??\c:\bhnhtt.exec:\bhnhtt.exe82⤵PID:4476
-
\??\c:\hntnhb.exec:\hntnhb.exe83⤵PID:2688
-
\??\c:\pjdvv.exec:\pjdvv.exe84⤵PID:4948
-
\??\c:\lllxlfr.exec:\lllxlfr.exe85⤵PID:2712
-
\??\c:\fxrlxxx.exec:\fxrlxxx.exe86⤵PID:3440
-
\??\c:\bnthtn.exec:\bnthtn.exe87⤵PID:4876
-
\??\c:\jvdvv.exec:\jvdvv.exe88⤵PID:4548
-
\??\c:\7jpdv.exec:\7jpdv.exe89⤵PID:1732
-
\??\c:\frxllll.exec:\frxllll.exe90⤵PID:3264
-
\??\c:\hhhbnn.exec:\hhhbnn.exe91⤵PID:412
-
\??\c:\tnhnnt.exec:\tnhnnt.exe92⤵PID:2116
-
\??\c:\ppjvv.exec:\ppjvv.exe93⤵PID:4292
-
\??\c:\bbbttt.exec:\bbbttt.exe94⤵PID:4800
-
\??\c:\nhbbtt.exec:\nhbbtt.exe95⤵PID:4376
-
\??\c:\dvjjd.exec:\dvjjd.exe96⤵PID:4980
-
\??\c:\xrfrfxf.exec:\xrfrfxf.exe97⤵PID:1076
-
\??\c:\bbtttn.exec:\bbtttn.exe98⤵PID:4664
-
\??\c:\htbhht.exec:\htbhht.exe99⤵PID:4624
-
\??\c:\vddvj.exec:\vddvj.exe100⤵PID:3088
-
\??\c:\rlxxrlf.exec:\rlxxrlf.exe101⤵PID:4724
-
\??\c:\rrlxrll.exec:\rrlxrll.exe102⤵PID:2876
-
\??\c:\nbtnth.exec:\nbtnth.exe103⤵PID:736
-
\??\c:\jvvpd.exec:\jvvpd.exe104⤵PID:5068
-
\??\c:\rxlfxrr.exec:\rxlfxrr.exe105⤵PID:2740
-
\??\c:\1xflxxr.exec:\1xflxxr.exe106⤵PID:976
-
\??\c:\ntbthh.exec:\ntbthh.exe107⤵PID:1928
-
\??\c:\pdpjj.exec:\pdpjj.exe108⤵PID:2640
-
\??\c:\rxxxrrx.exec:\rxxxrrx.exe109⤵PID:4640
-
\??\c:\llxxrrf.exec:\llxxrrf.exe110⤵PID:2780
-
\??\c:\bntnht.exec:\bntnht.exe111⤵PID:5072
-
\??\c:\jjddv.exec:\jjddv.exe112⤵PID:2920
-
\??\c:\vvjjv.exec:\vvjjv.exe113⤵PID:1868
-
\??\c:\ffrffrl.exec:\ffrffrl.exe114⤵PID:3720
-
\??\c:\tbnhtn.exec:\tbnhtn.exe115⤵PID:436
-
\??\c:\9jjdv.exec:\9jjdv.exe116⤵PID:3672
-
\??\c:\dpppj.exec:\dpppj.exe117⤵PID:1968
-
\??\c:\lfrrlxr.exec:\lfrrlxr.exe118⤵PID:3660
-
\??\c:\thhbtn.exec:\thhbtn.exe119⤵PID:4416
-
\??\c:\hbhhtt.exec:\hbhhtt.exe120⤵PID:4464
-
\??\c:\dvvpj.exec:\dvvpj.exe121⤵PID:2520
-
\??\c:\lxxfxlf.exec:\lxxfxlf.exe122⤵PID:3528
-
\??\c:\fxrxrlf.exec:\fxrxrlf.exe123⤵PID:2468
-
\??\c:\ntttnt.exec:\ntttnt.exe124⤵PID:2280
-
\??\c:\pjppp.exec:\pjppp.exe125⤵PID:1424
-
\??\c:\7jdpd.exec:\7jdpd.exe126⤵PID:5100
-
\??\c:\lrfxrrx.exec:\lrfxrrx.exe127⤵PID:1588
-
\??\c:\hthtbt.exec:\hthtbt.exe128⤵PID:1060
-
\??\c:\htbtnn.exec:\htbtnn.exe129⤵PID:1036
-
\??\c:\vdjdp.exec:\vdjdp.exe130⤵PID:532
-
\??\c:\flfxllx.exec:\flfxllx.exe131⤵PID:5088
-
\??\c:\frxrlfx.exec:\frxrlfx.exe132⤵PID:1328
-
\??\c:\hbbthb.exec:\hbbthb.exe133⤵PID:3540
-
\??\c:\jjpjj.exec:\jjpjj.exe134⤵PID:2820
-
\??\c:\lxrllfx.exec:\lxrllfx.exe135⤵PID:516
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe136⤵PID:2944
-
\??\c:\nbthtt.exec:\nbthtt.exe137⤵PID:2328
-
\??\c:\pjppv.exec:\pjppv.exe138⤵PID:1132
-
\??\c:\frxrllf.exec:\frxrllf.exe139⤵PID:3096
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe140⤵PID:2712
-
\??\c:\ntbtnn.exec:\ntbtnn.exe141⤵PID:3440
-
\??\c:\tthbbt.exec:\tthbbt.exe142⤵PID:4876
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe143⤵PID:3616
-
\??\c:\lffxfff.exec:\lffxfff.exe144⤵PID:1732
-
\??\c:\5tnnhb.exec:\5tnnhb.exe145⤵PID:3264
-
\??\c:\pjjjd.exec:\pjjjd.exe146⤵PID:4792
-
\??\c:\jvpdp.exec:\jvpdp.exe147⤵PID:3520
-
\??\c:\xfxrxrl.exec:\xfxrxrl.exe148⤵PID:2364
-
\??\c:\ntnbtn.exec:\ntnbtn.exe149⤵PID:2200
-
\??\c:\nnnnnn.exec:\nnnnnn.exe150⤵PID:3004
-
\??\c:\3pjvj.exec:\3pjvj.exe151⤵PID:3392
-
\??\c:\jpvpj.exec:\jpvpj.exe152⤵PID:1352
-
\??\c:\rfxrffr.exec:\rfxrffr.exe153⤵PID:3280
-
\??\c:\tnhbtn.exec:\tnhbtn.exe154⤵PID:3524
-
\??\c:\3pjdd.exec:\3pjdd.exe155⤵PID:1656
-
\??\c:\dpppp.exec:\dpppp.exe156⤵PID:4204
-
\??\c:\xlfrlfx.exec:\xlfrlfx.exe157⤵PID:1976
-
\??\c:\rfxfrff.exec:\rfxfrff.exe158⤵PID:4912
-
\??\c:\hbhtbb.exec:\hbhtbb.exe159⤵PID:4640
-
\??\c:\dvvpd.exec:\dvvpd.exe160⤵PID:4856
-
\??\c:\frlxrrl.exec:\frlxrrl.exe161⤵PID:4516
-
\??\c:\llfxlfx.exec:\llfxlfx.exe162⤵PID:4236
-
\??\c:\nntnhb.exec:\nntnhb.exe163⤵PID:4088
-
\??\c:\btnbhb.exec:\btnbhb.exe164⤵PID:3720
-
\??\c:\dppjd.exec:\dppjd.exe165⤵PID:4496
-
\??\c:\7djdv.exec:\7djdv.exe166⤵PID:3008
-
\??\c:\1rxrfxr.exec:\1rxrfxr.exe167⤵PID:2300
-
\??\c:\thttnn.exec:\thttnn.exe168⤵PID:916
-
\??\c:\7djjd.exec:\7djjd.exe169⤵PID:2448
-
\??\c:\fxxrrfx.exec:\fxxrrfx.exe170⤵PID:1848
-
\??\c:\thnhhb.exec:\thnhhb.exe171⤵PID:1480
-
\??\c:\pjvjj.exec:\pjvjj.exe172⤵PID:872
-
\??\c:\xxxxrxl.exec:\xxxxrxl.exe173⤵PID:1888
-
\??\c:\frxxrll.exec:\frxxrll.exe174⤵PID:64
-
\??\c:\thtnnn.exec:\thtnnn.exe175⤵PID:2976
-
\??\c:\pdddv.exec:\pdddv.exe176⤵PID:1056
-
\??\c:\jvpdp.exec:\jvpdp.exe177⤵PID:4220
-
\??\c:\rrfrlxx.exec:\rrfrlxx.exe178⤵PID:4332
-
\??\c:\hbhtbh.exec:\hbhtbh.exe179⤵PID:3472
-
\??\c:\pjpdd.exec:\pjpdd.exe180⤵PID:884
-
\??\c:\pvdpd.exec:\pvdpd.exe181⤵PID:4576
-
\??\c:\lrxlxrf.exec:\lrxlxrf.exe182⤵PID:2000
-
\??\c:\nhbbnh.exec:\nhbbnh.exe183⤵PID:5048
-
\??\c:\3dpdd.exec:\3dpdd.exe184⤵PID:4748
-
\??\c:\pddpj.exec:\pddpj.exe185⤵PID:1256
-
\??\c:\fxrlxxf.exec:\fxrlxxf.exe186⤵PID:3480
-
\??\c:\tttnhh.exec:\tttnhh.exe187⤵PID:3428
-
\??\c:\pjdpp.exec:\pjdpp.exe188⤵PID:3096
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe189⤵PID:1876
-
\??\c:\nnnnhh.exec:\nnnnhh.exe190⤵PID:4596
-
\??\c:\nnttnh.exec:\nnttnh.exe191⤵PID:4876
-
\??\c:\djpvp.exec:\djpvp.exe192⤵PID:3616
-
\??\c:\jvdvp.exec:\jvdvp.exe193⤵PID:1732
-
\??\c:\lrfxrrx.exec:\lrfxrrx.exe194⤵PID:2812
-
\??\c:\bbnhbb.exec:\bbnhbb.exe195⤵PID:4792
-
\??\c:\jvvjv.exec:\jvvjv.exe196⤵PID:4568
-
\??\c:\frlfflx.exec:\frlfflx.exe197⤵PID:772
-
\??\c:\lrfxrrf.exec:\lrfxrrf.exe198⤵PID:2996
-
\??\c:\ttnnhh.exec:\ttnnhh.exe199⤵PID:4008
-
\??\c:\5jpjv.exec:\5jpjv.exe200⤵PID:3088
-
\??\c:\djdpj.exec:\djdpj.exe201⤵PID:1264
-
\??\c:\xrrlrrl.exec:\xrrlrrl.exe202⤵PID:3800
-
\??\c:\hntnbt.exec:\hntnbt.exe203⤵PID:3960
-
\??\c:\tttnhb.exec:\tttnhb.exe204⤵PID:4840
-
\??\c:\dpjdv.exec:\dpjdv.exe205⤵PID:3360
-
\??\c:\xfxxxrl.exec:\xfxxxrl.exe206⤵PID:3936
-
\??\c:\nbhhbn.exec:\nbhhbn.exe207⤵PID:3860
-
\??\c:\tttbnt.exec:\tttbnt.exe208⤵PID:3884
-
\??\c:\3pjdv.exec:\3pjdv.exe209⤵PID:2532
-
\??\c:\3fxxrrl.exec:\3fxxrrl.exe210⤵PID:2920
-
\??\c:\hhthnh.exec:\hhthnh.exe211⤵PID:180
-
\??\c:\btnbth.exec:\btnbth.exe212⤵PID:2704
-
\??\c:\djpjj.exec:\djpjj.exe213⤵PID:3692
-
\??\c:\5xfxlll.exec:\5xfxlll.exe214⤵PID:3444
-
\??\c:\bnnbnh.exec:\bnnbnh.exe215⤵PID:1064
-
\??\c:\pjppp.exec:\pjppp.exe216⤵PID:4160
-
\??\c:\9vjdj.exec:\9vjdj.exe217⤵PID:3236
-
\??\c:\7ffxrll.exec:\7ffxrll.exe218⤵PID:4488
-
\??\c:\bthhtt.exec:\bthhtt.exe219⤵PID:1572
-
\??\c:\dddvj.exec:\dddvj.exe220⤵PID:4628
-
\??\c:\jpjvp.exec:\jpjvp.exe221⤵PID:2540
-
\??\c:\flxrllf.exec:\flxrllf.exe222⤵PID:3268
-
\??\c:\tnbtbt.exec:\tnbtbt.exe223⤵PID:528
-
\??\c:\tttnnn.exec:\tttnnn.exe224⤵PID:2976
-
\??\c:\1pjvp.exec:\1pjvp.exe225⤵PID:2072
-
\??\c:\xrfffll.exec:\xrfffll.exe226⤵PID:4220
-
\??\c:\nntnnn.exec:\nntnnn.exe227⤵PID:4288
-
\??\c:\9hhbtt.exec:\9hhbtt.exe228⤵PID:1260
-
\??\c:\pdppp.exec:\pdppp.exe229⤵PID:4536
-
\??\c:\rfxrllx.exec:\rfxrllx.exe230⤵PID:3628
-
\??\c:\rllxrlf.exec:\rllxrlf.exe231⤵PID:3996
-
\??\c:\nnnbnh.exec:\nnnbnh.exe232⤵PID:4476
-
\??\c:\hhbtnh.exec:\hhbtnh.exe233⤵PID:2944
-
\??\c:\pvjdp.exec:\pvjdp.exe234⤵PID:4948
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe235⤵PID:1420
-
\??\c:\bnnbbb.exec:\bnnbbb.exe236⤵PID:4992
-
\??\c:\htthbb.exec:\htthbb.exe237⤵PID:4772
-
\??\c:\1pjdp.exec:\1pjdp.exe238⤵PID:3700
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe239⤵PID:3096
-
\??\c:\nhtnhh.exec:\nhtnhh.exe240⤵PID:2292
-
\??\c:\tbhtnh.exec:\tbhtnh.exe241⤵PID:3852
-
\??\c:\vjjdp.exec:\vjjdp.exe242⤵PID:3120