Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:45
Behavioral task
behavioral1
Sample
77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe
-
Size
350KB
-
MD5
77aebc7d210a3fed71509aa9f6245f50
-
SHA1
08adb7c9e7246b3f7f703c9f8cffe55c13b1f28a
-
SHA256
4311158ebe13a47e2fadbea63d3688a5609a8caeaf0550aa595c0421b8ee411b
-
SHA512
b98c4618de707df419a4b942d25f638287eddd80f1c82f24c311510eabc30d414dc8bc0d08a9474ed265a1f38aabfcd80ad02fdcedade1dca795831e5afa7dc9
-
SSDEEP
6144:4cm7ImGddXvJuzyy/SfVFKpU/sien7NuOpo0HmtDKe0wKyKqiOfm8RCfDK4TrHX:+7TcBuGy/Sa+/sie0OpncKe/KFBOfmzP
Malware Config
Signatures
-
Detect Blackmoon payload 42 IoCs
Processes:
resource yara_rule behavioral1/memory/3008-95-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2712-125-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2688-150-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2924-205-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/608-216-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1364-251-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2348-279-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/764-311-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2728-412-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/996-544-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1760-552-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2640-585-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2076-741-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2796-767-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2308-995-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2968-910-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2216-795-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/608-775-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2796-760-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2396-721-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2632-572-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1736-571-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2612-349-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1608-310-0x00000000001B0000-0x00000000001DD000-memory.dmp family_blackmoon behavioral1/memory/1524-295-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1992-261-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2112-241-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/584-233-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1208-193-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1576-174-0x00000000001B0000-0x00000000001DD000-memory.dmp family_blackmoon behavioral1/memory/1684-141-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2992-108-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/304-105-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2468-86-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1988-70-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2800-68-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2556-59-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2920-49-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2584-39-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2760-29-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/3040-19-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2944-9-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\hbntbh.exe family_berbew \??\c:\pjjvj.exe family_berbew \??\c:\pvpdp.exe family_berbew \??\c:\1tthhn.exe family_berbew C:\jjvjv.exe family_berbew C:\xxflrxl.exe family_berbew C:\bthnht.exe family_berbew C:\fxlfllr.exe family_berbew \??\c:\5vpdj.exe family_berbew \??\c:\xlllxfr.exe family_berbew \??\c:\nhbnhn.exe family_berbew C:\7rfflxf.exe family_berbew C:\fxflflr.exe family_berbew C:\vjdpd.exe family_berbew \??\c:\tbbntb.exe family_berbew \??\c:\vpvpj.exe family_berbew \??\c:\dppdv.exe family_berbew \??\c:\9lfrllx.exe family_berbew C:\ddvdp.exe family_berbew \??\c:\1btbbn.exe family_berbew \??\c:\btntnn.exe family_berbew \??\c:\9bthhn.exe family_berbew \??\c:\5httbh.exe family_berbew \??\c:\9fxfrrf.exe family_berbew \??\c:\hhhntb.exe family_berbew \??\c:\ddddd.exe family_berbew \??\c:\dvpvj.exe family_berbew \??\c:\bbntht.exe family_berbew \??\c:\dvvpd.exe family_berbew \??\c:\jdjjv.exe family_berbew \??\c:\lllxfrl.exe family_berbew \??\c:\rrflfll.exe family_berbew behavioral1/memory/2924-3854-0x00000000005C0000-0x00000000005ED000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
rrflfll.exehbntbh.exepjjvj.exepvpdp.exelllxfrl.exe1tthhn.exejdjjv.exejjvjv.exexxflrxl.exebthnht.exedvvpd.exefxlfllr.exebbntht.exedvpvj.exe5vpdj.exexlllxfr.exenhbnhn.exeddddd.exe7rfflxf.exefxflflr.exehhhntb.exevjdpd.exe9fxfrrf.exe5httbh.exetbbntb.exevpvpj.exe9bthhn.exedppdv.exe9lfrllx.exebtntnn.exe1btbbn.exeddvdp.exelxlrlrf.exe3hbbnn.exejppdv.exexfxlxrf.exettntnt.exevpjdd.exefxxfffr.exeflrfflr.exenhhnhn.exedvpvd.exelfxflfl.exehbbntt.exehbtbnt.exepjdjv.exexrlrffl.exe1rxflxx.exe3thntb.exeppdvv.exe7vjjp.exe3fflfrf.exelrlrxxr.exehbnnbb.exehtnttt.exexfxlrfr.exerrxfffr.exe5hthhh.exe1nhnhn.exejdjpv.exe1frxrxf.exettbhnt.exebtthtn.exevvjvj.exepid process 3040 rrflfll.exe 2760 hbntbh.exe 2584 pjjvj.exe 2920 pvpdp.exe 2556 lllxfrl.exe 2800 1tthhn.exe 1988 jdjjv.exe 2468 jjvjv.exe 3008 xxflrxl.exe 304 bthnht.exe 2992 dvvpd.exe 2092 fxlfllr.exe 2712 bbntht.exe 1684 dvpvj.exe 2688 5vpdj.exe 2540 xlllxfr.exe 2872 nhbnhn.exe 1576 ddddd.exe 1532 7rfflxf.exe 1208 fxflflr.exe 2928 hhhntb.exe 2924 vjdpd.exe 608 9fxfrrf.exe 584 5httbh.exe 2112 tbbntb.exe 1364 vpvpj.exe 1992 9bthhn.exe 932 dppdv.exe 1932 9lfrllx.exe 2348 btntnn.exe 1524 1btbbn.exe 1920 ddvdp.exe 1608 lxlrlrf.exe 764 3hbbnn.exe 2260 jppdv.exe 2640 xfxlxrf.exe 2912 ttntnt.exe 2748 vpjdd.exe 3032 fxxfffr.exe 2612 flrfflr.exe 2716 nhhnhn.exe 3004 dvpvd.exe 2740 lfxflfl.exe 2876 hbbntt.exe 304 hbtbnt.exe 2252 pjdjv.exe 1748 xrlrffl.exe 1636 1rxflxx.exe 2728 3thntb.exe 2780 ppdvv.exe 2688 7vjjp.exe 2828 3fflfrf.exe 2448 lrlrxxr.exe 1624 hbnnbb.exe 2056 htnttt.exe 2168 xfxlrfr.exe 2416 rrxfffr.exe 2104 5hthhh.exe 2672 1nhnhn.exe 788 jdjpv.exe 608 1frxrxf.exe 2404 ttbhnt.exe 2228 btthtn.exe 2960 vvjvj.exe -
Processes:
resource yara_rule behavioral1/memory/2944-0-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2920-40-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2800-60-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3008-95-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2712-125-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2688-150-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2924-205-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/608-216-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1364-251-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2348-279-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/764-311-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2728-412-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/608-480-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2960-499-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/996-544-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1760-552-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2640-585-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2600-610-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2076-741-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2216-788-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1696-808-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/888-822-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2520-1087-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1096-1149-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2820-1228-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2828-1265-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2936-1279-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1656-1050-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2308-995-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2496-860-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2420-815-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2796-760-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1208-734-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2396-721-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2600-656-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2652-653-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2632-572-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1736-571-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1528-545-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2612-349-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1524-295-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1524-287-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1992-261-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1992-252-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1364-243-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2112-241-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/584-233-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/584-225-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1208-193-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1684-141-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1684-133-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2092-115-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2992-108-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/304-105-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/304-96-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2468-86-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1988-70-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2800-68-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2556-59-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2556-50-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2920-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2584-39-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2584-30-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2760-29-0x0000000000400000-0x000000000042D000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exerrflfll.exehbntbh.exepjjvj.exepvpdp.exelllxfrl.exe1tthhn.exejdjjv.exejjvjv.exexxflrxl.exebthnht.exedvvpd.exefxlfllr.exebbntht.exedvpvj.exe5vpdj.exedescription pid process target process PID 2944 wrote to memory of 3040 2944 77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe rrflfll.exe PID 2944 wrote to memory of 3040 2944 77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe rrflfll.exe PID 2944 wrote to memory of 3040 2944 77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe rrflfll.exe PID 2944 wrote to memory of 3040 2944 77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe rrflfll.exe PID 3040 wrote to memory of 2760 3040 rrflfll.exe hbntbh.exe PID 3040 wrote to memory of 2760 3040 rrflfll.exe hbntbh.exe PID 3040 wrote to memory of 2760 3040 rrflfll.exe hbntbh.exe PID 3040 wrote to memory of 2760 3040 rrflfll.exe hbntbh.exe PID 2760 wrote to memory of 2584 2760 hbntbh.exe pjjvj.exe PID 2760 wrote to memory of 2584 2760 hbntbh.exe pjjvj.exe PID 2760 wrote to memory of 2584 2760 hbntbh.exe pjjvj.exe PID 2760 wrote to memory of 2584 2760 hbntbh.exe pjjvj.exe PID 2584 wrote to memory of 2920 2584 pjjvj.exe pvpdp.exe PID 2584 wrote to memory of 2920 2584 pjjvj.exe pvpdp.exe PID 2584 wrote to memory of 2920 2584 pjjvj.exe pvpdp.exe PID 2584 wrote to memory of 2920 2584 pjjvj.exe pvpdp.exe PID 2920 wrote to memory of 2556 2920 pvpdp.exe lllxfrl.exe PID 2920 wrote to memory of 2556 2920 pvpdp.exe lllxfrl.exe PID 2920 wrote to memory of 2556 2920 pvpdp.exe lllxfrl.exe PID 2920 wrote to memory of 2556 2920 pvpdp.exe lllxfrl.exe PID 2556 wrote to memory of 2800 2556 lllxfrl.exe 1tthhn.exe PID 2556 wrote to memory of 2800 2556 lllxfrl.exe 1tthhn.exe PID 2556 wrote to memory of 2800 2556 lllxfrl.exe 1tthhn.exe PID 2556 wrote to memory of 2800 2556 lllxfrl.exe 1tthhn.exe PID 2800 wrote to memory of 1988 2800 1tthhn.exe jdjjv.exe PID 2800 wrote to memory of 1988 2800 1tthhn.exe jdjjv.exe PID 2800 wrote to memory of 1988 2800 1tthhn.exe jdjjv.exe PID 2800 wrote to memory of 1988 2800 1tthhn.exe jdjjv.exe PID 1988 wrote to memory of 2468 1988 jdjjv.exe 7nthht.exe PID 1988 wrote to memory of 2468 1988 jdjjv.exe 7nthht.exe PID 1988 wrote to memory of 2468 1988 jdjjv.exe 7nthht.exe PID 1988 wrote to memory of 2468 1988 jdjjv.exe 7nthht.exe PID 2468 wrote to memory of 3008 2468 jjvjv.exe xxflrxl.exe PID 2468 wrote to memory of 3008 2468 jjvjv.exe xxflrxl.exe PID 2468 wrote to memory of 3008 2468 jjvjv.exe xxflrxl.exe PID 2468 wrote to memory of 3008 2468 jjvjv.exe xxflrxl.exe PID 3008 wrote to memory of 304 3008 xxflrxl.exe hbtbnt.exe PID 3008 wrote to memory of 304 3008 xxflrxl.exe hbtbnt.exe PID 3008 wrote to memory of 304 3008 xxflrxl.exe hbtbnt.exe PID 3008 wrote to memory of 304 3008 xxflrxl.exe hbtbnt.exe PID 304 wrote to memory of 2992 304 bthnht.exe dvvpd.exe PID 304 wrote to memory of 2992 304 bthnht.exe dvvpd.exe PID 304 wrote to memory of 2992 304 bthnht.exe dvvpd.exe PID 304 wrote to memory of 2992 304 bthnht.exe dvvpd.exe PID 2992 wrote to memory of 2092 2992 dvvpd.exe fxlfllr.exe PID 2992 wrote to memory of 2092 2992 dvvpd.exe fxlfllr.exe PID 2992 wrote to memory of 2092 2992 dvvpd.exe fxlfllr.exe PID 2992 wrote to memory of 2092 2992 dvvpd.exe fxlfllr.exe PID 2092 wrote to memory of 2712 2092 fxlfllr.exe bbntht.exe PID 2092 wrote to memory of 2712 2092 fxlfllr.exe bbntht.exe PID 2092 wrote to memory of 2712 2092 fxlfllr.exe bbntht.exe PID 2092 wrote to memory of 2712 2092 fxlfllr.exe bbntht.exe PID 2712 wrote to memory of 1684 2712 bbntht.exe dvpvj.exe PID 2712 wrote to memory of 1684 2712 bbntht.exe dvpvj.exe PID 2712 wrote to memory of 1684 2712 bbntht.exe dvpvj.exe PID 2712 wrote to memory of 1684 2712 bbntht.exe dvpvj.exe PID 1684 wrote to memory of 2688 1684 dvpvj.exe 5vpdj.exe PID 1684 wrote to memory of 2688 1684 dvpvj.exe 5vpdj.exe PID 1684 wrote to memory of 2688 1684 dvpvj.exe 5vpdj.exe PID 1684 wrote to memory of 2688 1684 dvpvj.exe 5vpdj.exe PID 2688 wrote to memory of 2540 2688 5vpdj.exe xlllxfr.exe PID 2688 wrote to memory of 2540 2688 5vpdj.exe xlllxfr.exe PID 2688 wrote to memory of 2540 2688 5vpdj.exe xlllxfr.exe PID 2688 wrote to memory of 2540 2688 5vpdj.exe xlllxfr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77aebc7d210a3fed71509aa9f6245f50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\rrflfll.exec:\rrflfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hbntbh.exec:\hbntbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\pjjvj.exec:\pjjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\pvpdp.exec:\pvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\lllxfrl.exec:\lllxfrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\1tthhn.exec:\1tthhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\jdjjv.exec:\jdjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\jjvjv.exec:\jjvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\xxflrxl.exec:\xxflrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\bthnht.exec:\bthnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\dvvpd.exec:\dvvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\fxlfllr.exec:\fxlfllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\bbntht.exec:\bbntht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\dvpvj.exec:\dvpvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\5vpdj.exec:\5vpdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\xlllxfr.exec:\xlllxfr.exe17⤵
- Executes dropped EXE
PID:2540 -
\??\c:\nhbnhn.exec:\nhbnhn.exe18⤵
- Executes dropped EXE
PID:2872 -
\??\c:\ddddd.exec:\ddddd.exe19⤵
- Executes dropped EXE
PID:1576 -
\??\c:\7rfflxf.exec:\7rfflxf.exe20⤵
- Executes dropped EXE
PID:1532 -
\??\c:\fxflflr.exec:\fxflflr.exe21⤵
- Executes dropped EXE
PID:1208 -
\??\c:\hhhntb.exec:\hhhntb.exe22⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vjdpd.exec:\vjdpd.exe23⤵
- Executes dropped EXE
PID:2924 -
\??\c:\9fxfrrf.exec:\9fxfrrf.exe24⤵
- Executes dropped EXE
PID:608 -
\??\c:\5httbh.exec:\5httbh.exe25⤵
- Executes dropped EXE
PID:584 -
\??\c:\tbbntb.exec:\tbbntb.exe26⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vpvpj.exec:\vpvpj.exe27⤵
- Executes dropped EXE
PID:1364 -
\??\c:\9bthhn.exec:\9bthhn.exe28⤵
- Executes dropped EXE
PID:1992 -
\??\c:\dppdv.exec:\dppdv.exe29⤵
- Executes dropped EXE
PID:932 -
\??\c:\9lfrllx.exec:\9lfrllx.exe30⤵
- Executes dropped EXE
PID:1932 -
\??\c:\btntnn.exec:\btntnn.exe31⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1btbbn.exec:\1btbbn.exe32⤵
- Executes dropped EXE
PID:1524 -
\??\c:\ddvdp.exec:\ddvdp.exe33⤵
- Executes dropped EXE
PID:1920 -
\??\c:\lxlrlrf.exec:\lxlrlrf.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\3hbbnn.exec:\3hbbnn.exe35⤵
- Executes dropped EXE
PID:764 -
\??\c:\jppdv.exec:\jppdv.exe36⤵
- Executes dropped EXE
PID:2260 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe37⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ttntnt.exec:\ttntnt.exe38⤵
- Executes dropped EXE
PID:2912 -
\??\c:\vpjdd.exec:\vpjdd.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\fxxfffr.exec:\fxxfffr.exe40⤵
- Executes dropped EXE
PID:3032 -
\??\c:\flrfflr.exec:\flrfflr.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nhhnhn.exec:\nhhnhn.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\dvpvd.exec:\dvpvd.exe43⤵
- Executes dropped EXE
PID:3004 -
\??\c:\lfxflfl.exec:\lfxflfl.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hbbntt.exec:\hbbntt.exe45⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hbtbnt.exec:\hbtbnt.exe46⤵
- Executes dropped EXE
PID:304 -
\??\c:\pjdjv.exec:\pjdjv.exe47⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xrlrffl.exec:\xrlrffl.exe48⤵
- Executes dropped EXE
PID:1748 -
\??\c:\1rxflxx.exec:\1rxflxx.exe49⤵
- Executes dropped EXE
PID:1636 -
\??\c:\3thntb.exec:\3thntb.exe50⤵
- Executes dropped EXE
PID:2728 -
\??\c:\ppdvv.exec:\ppdvv.exe51⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7vjjp.exec:\7vjjp.exe52⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3fflfrf.exec:\3fflfrf.exe53⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lrlrxxr.exec:\lrlrxxr.exe54⤵
- Executes dropped EXE
PID:2448 -
\??\c:\hbnnbb.exec:\hbnnbb.exe55⤵
- Executes dropped EXE
PID:1624 -
\??\c:\htnttt.exec:\htnttt.exe56⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xfxlrfr.exec:\xfxlrfr.exe57⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rrxfffr.exec:\rrxfffr.exe58⤵
- Executes dropped EXE
PID:2416 -
\??\c:\5hthhh.exec:\5hthhh.exe59⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1nhnhn.exec:\1nhnhn.exe60⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jdjpv.exec:\jdjpv.exe61⤵
- Executes dropped EXE
PID:788 -
\??\c:\1frxrxf.exec:\1frxrxf.exe62⤵
- Executes dropped EXE
PID:608 -
\??\c:\ttbhnt.exec:\ttbhnt.exe63⤵
- Executes dropped EXE
PID:2404 -
\??\c:\btthtn.exec:\btthtn.exe64⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vvjvj.exec:\vvjvj.exe65⤵
- Executes dropped EXE
PID:2960 -
\??\c:\5flxlrx.exec:\5flxlrx.exe66⤵PID:2372
-
\??\c:\hnnnnh.exec:\hnnnnh.exe67⤵PID:320
-
\??\c:\nthtnh.exec:\nthtnh.exe68⤵PID:2080
-
\??\c:\vvjvp.exec:\vvjvp.exe69⤵PID:572
-
\??\c:\xflflfl.exec:\xflflfl.exe70⤵PID:548
-
\??\c:\nnttbb.exec:\nnttbb.exe71⤵PID:996
-
\??\c:\tbbtbt.exec:\tbbtbt.exe72⤵PID:1528
-
\??\c:\1jvvj.exec:\1jvvj.exe73⤵PID:1760
-
\??\c:\fffxrff.exec:\fffxrff.exe74⤵PID:576
-
\??\c:\5frxflx.exec:\5frxflx.exe75⤵PID:1736
-
\??\c:\3hnnbh.exec:\3hnnbh.exe76⤵PID:2632
-
\??\c:\1hhbbh.exec:\1hhbbh.exe77⤵PID:2596
-
\??\c:\vdvpp.exec:\vdvpp.exe78⤵PID:2640
-
\??\c:\ppjjp.exec:\ppjjp.exe79⤵PID:2572
-
\??\c:\5xllrxf.exec:\5xllrxf.exe80⤵PID:3064
-
\??\c:\tnbntn.exec:\tnbntn.exe81⤵PID:2576
-
\??\c:\nhhtth.exec:\nhhtth.exe82⤵PID:2600
-
\??\c:\3vdvd.exec:\3vdvd.exe83⤵PID:2944
-
\??\c:\jvjdp.exec:\jvjdp.exe84⤵PID:2788
-
\??\c:\3frxlrx.exec:\3frxlrx.exe85⤵PID:2256
-
\??\c:\rfrrxfl.exec:\rfrrxfl.exe86⤵PID:2480
-
\??\c:\btbhtt.exec:\btbhtt.exe87⤵PID:2852
-
\??\c:\ddddp.exec:\ddddp.exe88⤵PID:1692
-
\??\c:\vvjpj.exec:\vvjpj.exe89⤵PID:2652
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe90⤵PID:2328
-
\??\c:\3rrrxfl.exec:\3rrrxfl.exe91⤵PID:1284
-
\??\c:\hnbnth.exec:\hnbnth.exe92⤵PID:2684
-
\??\c:\dpddv.exec:\dpddv.exe93⤵PID:2772
-
\??\c:\ddjvd.exec:\ddjvd.exe94⤵PID:2728
-
\??\c:\lxrlrxf.exec:\lxrlrxf.exe95⤵PID:2780
-
\??\c:\bnthhn.exec:\bnthhn.exe96⤵PID:2164
-
\??\c:\vjppv.exec:\vjppv.exe97⤵PID:2432
-
\??\c:\9vpjp.exec:\9vpjp.exe98⤵PID:1564
-
\??\c:\lllxfrf.exec:\lllxfrf.exe99⤵PID:2448
-
\??\c:\xlrllll.exec:\xlrllll.exe100⤵PID:2396
-
\??\c:\bnhttb.exec:\bnhttb.exe101⤵PID:916
-
\??\c:\pjvjj.exec:\pjvjj.exe102⤵PID:1208
-
\??\c:\pjjvj.exec:\pjjvj.exe103⤵PID:2076
-
\??\c:\rrfllfx.exec:\rrfllfx.exe104⤵PID:336
-
\??\c:\xrrxffl.exec:\xrrxffl.exe105⤵PID:1384
-
\??\c:\hhhbtb.exec:\hhhbtb.exe106⤵PID:2796
-
\??\c:\dvjpv.exec:\dvjpv.exe107⤵PID:608
-
\??\c:\pjpjd.exec:\pjpjd.exe108⤵PID:624
-
\??\c:\lxxfrfx.exec:\lxxfrfx.exe109⤵PID:1072
-
\??\c:\hbntnt.exec:\hbntnt.exe110⤵PID:2216
-
\??\c:\bnbntn.exec:\bnbntn.exe111⤵PID:632
-
\??\c:\pjvdv.exec:\pjvdv.exe112⤵PID:796
-
\??\c:\lfrxllx.exec:\lfrxllx.exe113⤵PID:1696
-
\??\c:\rfrlxrr.exec:\rfrlxrr.exe114⤵PID:2420
-
\??\c:\bthnnh.exec:\bthnnh.exe115⤵PID:888
-
\??\c:\vvpdp.exec:\vvpdp.exe116⤵PID:2972
-
\??\c:\pjvdp.exec:\pjvdp.exe117⤵PID:1720
-
\??\c:\lrxllfl.exec:\lrxllfl.exe118⤵PID:1608
-
\??\c:\fllrxfr.exec:\fllrxfr.exe119⤵PID:576
-
\??\c:\nhbhbh.exec:\nhbhbh.exe120⤵PID:1736
-
\??\c:\ppjpv.exec:\ppjpv.exe121⤵PID:2496
-
\??\c:\pjvpv.exec:\pjvpv.exe122⤵PID:2756
-
\??\c:\xrrxrxr.exec:\xrrxrxr.exe123⤵PID:2640
-
\??\c:\flxrflx.exec:\flxrflx.exe124⤵PID:2572
-
\??\c:\1nhthh.exec:\1nhthh.exe125⤵PID:3064
-
\??\c:\1tttth.exec:\1tttth.exe126⤵PID:2800
-
\??\c:\vvpdp.exec:\vvpdp.exe127⤵PID:2600
-
\??\c:\ppjdd.exec:\ppjdd.exe128⤵PID:2968
-
\??\c:\rrlxllr.exec:\rrlxllr.exe129⤵PID:2340
-
\??\c:\tbbbnt.exec:\tbbbnt.exe130⤵PID:848
-
\??\c:\3nbbnt.exec:\3nbbnt.exe131⤵PID:2740
-
\??\c:\pjvpd.exec:\pjvpd.exe132⤵PID:1740
-
\??\c:\vpdjv.exec:\vpdjv.exe133⤵PID:2532
-
\??\c:\xxrxfxr.exec:\xxrxfxr.exe134⤵PID:1412
-
\??\c:\rlrxffx.exec:\rlrxffx.exe135⤵PID:2328
-
\??\c:\bbtbtb.exec:\bbtbtb.exe136⤵PID:1996
-
\??\c:\tthhtb.exec:\tthhtb.exe137⤵PID:2708
-
\??\c:\ddpjv.exec:\ddpjv.exe138⤵PID:2504
-
\??\c:\dvppd.exec:\dvppd.exe139⤵PID:1980
-
\??\c:\llfrlrf.exec:\llfrlrf.exe140⤵PID:2072
-
\??\c:\rfrxrxf.exec:\rfrxrxf.exe141⤵PID:2828
-
\??\c:\3nhhtt.exec:\3nhhtt.exe142⤵PID:1212
-
\??\c:\5tnbnn.exec:\5tnbnn.exe143⤵PID:2308
-
\??\c:\jjjdj.exec:\jjjdj.exe144⤵PID:1808
-
\??\c:\jdppp.exec:\jdppp.exe145⤵PID:1232
-
\??\c:\fxrfrfl.exec:\fxrfrfl.exe146⤵PID:1688
-
\??\c:\flxxflr.exec:\flxxflr.exe147⤵PID:1604
-
\??\c:\ntntnt.exec:\ntntnt.exe148⤵PID:808
-
\??\c:\hnhnht.exec:\hnhnht.exe149⤵PID:1504
-
\??\c:\pjjpd.exec:\pjjpd.exe150⤵PID:1984
-
\??\c:\jdjvj.exec:\jdjvj.exe151⤵PID:2844
-
\??\c:\1llrxxf.exec:\1llrxxf.exe152⤵PID:1656
-
\??\c:\7rxxrrx.exec:\7rxxrrx.exe153⤵PID:1868
-
\??\c:\hhbthn.exec:\hhbthn.exe154⤵PID:964
-
\??\c:\1bhtbn.exec:\1bhtbn.exe155⤵PID:2804
-
\??\c:\jdppv.exec:\jdppv.exe156⤵PID:1992
-
\??\c:\5djjv.exec:\5djjv.exe157⤵PID:2896
-
\??\c:\rrfllrl.exec:\rrfllrl.exe158⤵PID:2520
-
\??\c:\lllxrrl.exec:\lllxrrl.exe159⤵PID:900
-
\??\c:\tnhhnh.exec:\tnhhnh.exe160⤵PID:2112
-
\??\c:\3ttbht.exec:\3ttbht.exe161⤵PID:1524
-
\??\c:\jjdpj.exec:\jjdpj.exe162⤵PID:1036
-
\??\c:\ppjpj.exec:\ppjpj.exe163⤵PID:2084
-
\??\c:\llxllrf.exec:\llxllrf.exe164⤵PID:1660
-
\??\c:\rrlxrxl.exec:\rrlxrxl.exe165⤵PID:2752
-
\??\c:\pvpvj.exec:\pvpvj.exe166⤵PID:2908
-
\??\c:\fflrfll.exec:\fflrfll.exe167⤵PID:2628
-
\??\c:\nnthhn.exec:\nnthhn.exe168⤵PID:1096
-
\??\c:\tntbth.exec:\tntbth.exe169⤵PID:284
-
\??\c:\ppvdj.exec:\ppvdj.exe170⤵PID:2436
-
\??\c:\vpppd.exec:\vpppd.exe171⤵PID:1816
-
\??\c:\tnbnbb.exec:\tnbnbb.exe172⤵PID:2616
-
\??\c:\nhhtth.exec:\nhhtth.exe173⤵PID:2264
-
\??\c:\3pjjj.exec:\3pjjj.exe174⤵PID:2860
-
\??\c:\fxlrffr.exec:\fxlrffr.exe175⤵PID:2664
-
\??\c:\lfrxrxl.exec:\lfrxrxl.exe176⤵PID:2660
-
\??\c:\5rrfflr.exec:\5rrfflr.exe177⤵PID:2476
-
\??\c:\bbtbbh.exec:\bbtbbh.exe178⤵PID:2296
-
\??\c:\tnbtnh.exec:\tnbtnh.exe179⤵PID:2532
-
\??\c:\3pdpp.exec:\3pdpp.exe180⤵PID:1412
-
\??\c:\ddjjv.exec:\ddjjv.exe181⤵PID:2820
-
\??\c:\3rfflrx.exec:\3rfflrx.exe182⤵PID:2888
-
\??\c:\lffxrxf.exec:\lffxrxf.exe183⤵PID:2732
-
\??\c:\nnhntb.exec:\nnhntb.exe184⤵PID:2836
-
\??\c:\nnthhn.exec:\nnthhn.exe185⤵PID:1980
-
\??\c:\jjpdj.exec:\jjpdj.exe186⤵PID:2780
-
\??\c:\vpjvj.exec:\vpjvj.exe187⤵PID:2828
-
\??\c:\fflrlrf.exec:\fflrlrf.exe188⤵PID:2316
-
\??\c:\xxrxllx.exec:\xxrxllx.exe189⤵PID:2936
-
\??\c:\bthntt.exec:\bthntt.exe190⤵PID:1856
-
\??\c:\jjddp.exec:\jjddp.exe191⤵PID:1916
-
\??\c:\pjdvp.exec:\pjdvp.exe192⤵PID:652
-
\??\c:\7rflxfr.exec:\7rflxfr.exe193⤵PID:2672
-
\??\c:\fllrlrf.exec:\fllrlrf.exe194⤵PID:2156
-
\??\c:\hbtttb.exec:\hbtttb.exe195⤵PID:1504
-
\??\c:\nnntnt.exec:\nnntnt.exe196⤵PID:1984
-
\??\c:\jdvdj.exec:\jdvdj.exe197⤵PID:2844
-
\??\c:\7vjvv.exec:\7vjvv.exe198⤵PID:112
-
\??\c:\lfflrxf.exec:\lfflrxf.exe199⤵PID:1868
-
\??\c:\xxlrfrf.exec:\xxlrfrf.exe200⤵PID:964
-
\??\c:\btbnhb.exec:\btbnhb.exe201⤵PID:712
-
\??\c:\1nhntt.exec:\1nhntt.exe202⤵PID:1700
-
\??\c:\jvjvv.exec:\jvjvv.exe203⤵PID:2080
-
\??\c:\djppp.exec:\djppp.exe204⤵PID:2288
-
\??\c:\rllxlrx.exec:\rllxlrx.exe205⤵PID:900
-
\??\c:\frllflx.exec:\frllflx.exe206⤵PID:2112
-
\??\c:\5nbthh.exec:\5nbthh.exe207⤵PID:1524
-
\??\c:\vvvjp.exec:\vvvjp.exe208⤵PID:1036
-
\??\c:\jvpvd.exec:\jvpvd.exe209⤵PID:2084
-
\??\c:\rllrxfr.exec:\rllrxfr.exe210⤵PID:1288
-
\??\c:\5lfrxfl.exec:\5lfrxfl.exe211⤵PID:2580
-
\??\c:\bhhtbn.exec:\bhhtbn.exe212⤵PID:324
-
\??\c:\nthnnn.exec:\nthnnn.exe213⤵PID:2756
-
\??\c:\vpvvd.exec:\vpvvd.exe214⤵PID:1320
-
\??\c:\vpjpp.exec:\vpjpp.exe215⤵PID:2300
-
\??\c:\xlffrrl.exec:\xlffrrl.exe216⤵PID:2572
-
\??\c:\rrrxrxr.exec:\rrrxrxr.exe217⤵PID:2060
-
\??\c:\frfffrr.exec:\frfffrr.exe218⤵PID:2512
-
\??\c:\7nthht.exec:\7nthht.exe219⤵PID:2468
-
\??\c:\1dpdd.exec:\1dpdd.exe220⤵PID:1796
-
\??\c:\jpppv.exec:\jpppv.exe221⤵PID:2464
-
\??\c:\3ntbht.exec:\3ntbht.exe222⤵PID:2748
-
\??\c:\hbtbtt.exec:\hbtbtt.exe223⤵PID:2740
-
\??\c:\1vjpp.exec:\1vjpp.exe224⤵PID:2608
-
\??\c:\nhhhtb.exec:\nhhhtb.exe225⤵PID:2996
-
\??\c:\jjddj.exec:\jjddj.exe226⤵PID:1248
-
\??\c:\rlfrflr.exec:\rlfrflr.exe227⤵PID:2692
-
\??\c:\bttbbh.exec:\bttbbh.exe228⤵PID:2452
-
\??\c:\3dvvd.exec:\3dvvd.exe229⤵PID:2784
-
\??\c:\5frrfrx.exec:\5frrfrx.exe230⤵PID:2772
-
\??\c:\bhhbbn.exec:\bhhbbn.exe231⤵PID:2360
-
\??\c:\vpdjp.exec:\vpdjp.exe232⤵PID:2164
-
\??\c:\pjpjj.exec:\pjpjj.exe233⤵PID:2432
-
\??\c:\hbtnnh.exec:\hbtnnh.exe234⤵PID:1564
-
\??\c:\vppvd.exec:\vppvd.exe235⤵PID:2964
-
\??\c:\7rlxrrf.exec:\7rlxrrf.exe236⤵PID:1808
-
\??\c:\jjjjj.exec:\jjjjj.exe237⤵PID:2312
-
\??\c:\fllxflx.exec:\fllxflx.exe238⤵PID:1688
-
\??\c:\7hhttb.exec:\7hhttb.exe239⤵PID:1604
-
\??\c:\vdvjv.exec:\vdvjv.exe240⤵PID:3016
-
\??\c:\7xxfrxl.exec:\7xxfrxl.exe241⤵PID:3056
-
\??\c:\jjjdj.exec:\jjjdj.exe242⤵PID:1112