Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 05:55
Behavioral task
behavioral1
Sample
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe
-
Size
251KB
-
MD5
79cc60dd48574053ccbc25690ba774d0
-
SHA1
5174c77972294663cce9a4f6b500eb899067278e
-
SHA256
a4268244d7ee8185be1570a461b78f4fb4101860b60678280574b8469311b720
-
SHA512
48a7cf9771639588b073ccd7ad7d0d8f3d8a9fc590a8068caf6c925c71b3eba9bfaaa3b6e25aaf44dc6e93d4f79d1e967bd3d9d7c63253aa9a74ba8a681f85d7
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLpcgDE4JBuItR8pTsgZ9WT4iaz+W:ccm4FmowdHoSi9EIBftapTs4WZazb
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/736-6-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/752-16-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2272-8-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2128-24-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2324-25-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2828-31-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3400-45-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5056-38-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3688-50-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1980-55-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4644-65-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3588-80-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3152-87-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3296-92-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2880-99-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4164-104-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4420-110-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3172-124-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2984-135-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/792-144-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2288-148-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4816-154-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4324-163-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5080-171-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4964-177-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1952-193-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1076-195-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/744-201-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2600-214-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2272-216-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/208-222-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/404-233-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2856-248-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1904-255-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3296-280-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2552-282-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4936-291-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4420-293-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4944-300-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4328-303-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3664-311-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1104-320-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4004-330-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3488-337-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3052-350-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1244-354-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1952-359-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1280-378-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4208-384-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2612-394-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2912-398-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2220-420-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2540-427-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3096-428-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3668-450-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2524-479-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/688-520-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4220-579-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2272-645-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2540-688-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/704-698-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3664-705-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4664-740-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4644-795-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\tnnhhh.exe family_berbew C:\hntttb.exe family_berbew \??\c:\9dddj.exe family_berbew \??\c:\rlxxrxx.exe family_berbew \??\c:\lxlflrr.exe family_berbew \??\c:\3hntbh.exe family_berbew C:\xxxrrfx.exe family_berbew \??\c:\fxxfxll.exe family_berbew C:\xlrxffl.exe family_berbew C:\hthhhn.exe family_berbew C:\flrrrrr.exe family_berbew C:\hntttb.exe family_berbew \??\c:\jjdjj.exe family_berbew \??\c:\lxlrrxl.exe family_berbew C:\vvjdd.exe family_berbew C:\fxllrrf.exe family_berbew C:\tntttb.exe family_berbew C:\xflllll.exe family_berbew \??\c:\9hnnnt.exe family_berbew \??\c:\1djjj.exe family_berbew \??\c:\bthhhn.exe family_berbew \??\c:\bnhhbb.exe family_berbew C:\xrllrrr.exe family_berbew C:\7nbttt.exe family_berbew C:\lxfflxl.exe family_berbew C:\nbbnnh.exe family_berbew C:\7vdvp.exe family_berbew C:\nbhhhh.exe family_berbew C:\hnnhbb.exe family_berbew C:\dvppj.exe family_berbew C:\1lrlxxl.exe family_berbew C:\jdddp.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
tnnhhh.exehntttb.exe9dddj.exerlxxrxx.exelxlflrr.exe3hntbh.exexxxrrfx.exefxxfxll.exexlrxffl.exehthhhn.exeflrrrrr.exehntttb.exejjdjj.exelxlrrxl.exevvjdd.exefxllrrf.exetntttb.exexflllll.exe9hnnnt.exe1djjj.exebthhhn.exebnhhbb.exexrllrrr.exe7nbttt.exelxfflxl.exenbbnnh.exe7vdvp.exenbhhhh.exehnnhbb.exedvppj.exe1lrlxxl.exejdddp.exepppjv.exerfxrlxr.exetntnbt.exedppjd.exevpvpd.exefxllffx.exejvdvv.exejvjjj.exe1rfxflx.exehhnntb.exenttnhh.exedjppp.exefxxrrlf.exefxrrlrl.exe9nnhhh.exevjdvd.exe9jdvp.exerllfxxx.exebnnhbt.exe3ddjd.exexlllrlr.exenbnhbh.exedddpd.exexxlrffl.exe1hnhbb.exe7bhbbt.exedvjdv.exefxxxrll.exethhbtt.exepdjjd.exe7djjp.exerrfxrrr.exepid process 2272 tnnhhh.exe 752 hntttb.exe 2128 9dddj.exe 2324 rlxxrxx.exe 2828 lxlflrr.exe 5056 3hntbh.exe 3400 xxxrrfx.exe 3688 fxxfxll.exe 1980 xlrxffl.exe 4644 hthhhn.exe 4452 flrrrrr.exe 1912 hntttb.exe 3588 jjdjj.exe 3152 lxlrrxl.exe 3296 vvjdd.exe 2880 fxllrrf.exe 4164 tntttb.exe 4420 xflllll.exe 3240 9hnnnt.exe 3172 1djjj.exe 1840 bthhhn.exe 2984 bnhhbb.exe 4444 xrllrrr.exe 792 7nbttt.exe 2288 lxfflxl.exe 4816 nbbnnh.exe 4324 7vdvp.exe 4256 nbhhhh.exe 5080 hnnhbb.exe 4964 dvppj.exe 2100 1lrlxxl.exe 4648 jdddp.exe 1952 pppjv.exe 1076 rfxrlxr.exe 744 tntnbt.exe 4252 dppjd.exe 2108 vpvpd.exe 1204 fxllffx.exe 2600 jvdvv.exe 2272 jvjjj.exe 208 1rfxflx.exe 4836 hhnntb.exe 2612 nttnhh.exe 5024 djppp.exe 404 fxxrrlf.exe 2828 fxrrlrl.exe 1944 9nnhhh.exe 4024 vjdvd.exe 2856 9jdvp.exe 1780 rllfxxx.exe 1904 bnnhbt.exe 1108 3ddjd.exe 3088 xlllrlr.exe 4660 nbnhbh.exe 1124 dddpd.exe 1776 xxlrffl.exe 3860 1hnhbb.exe 1824 7bhbbt.exe 3296 dvjdv.exe 2552 fxxxrll.exe 3788 thhbtt.exe 4936 pdjjd.exe 4420 7djjp.exe 3240 rrfxrrr.exe -
Processes:
resource yara_rule behavioral2/memory/736-0-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tnnhhh.exe upx behavioral2/memory/736-6-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hntttb.exe upx \??\c:\9dddj.exe upx behavioral2/memory/752-16-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2272-8-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2128-24-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\rlxxrxx.exe upx behavioral2/memory/2324-25-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2828-31-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lxlflrr.exe upx \??\c:\3hntbh.exe upx C:\xxxrrfx.exe upx behavioral2/memory/3400-45-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\fxxfxll.exe upx behavioral2/memory/5056-38-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3688-50-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xlrxffl.exe upx behavioral2/memory/1980-55-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hthhhn.exe upx behavioral2/memory/4644-61-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\flrrrrr.exe upx behavioral2/memory/4644-65-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hntttb.exe upx \??\c:\jjdjj.exe upx behavioral2/memory/3588-80-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lxlrrxl.exe upx C:\vvjdd.exe upx behavioral2/memory/3152-87-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3296-92-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\fxllrrf.exe upx C:\tntttb.exe upx behavioral2/memory/2880-99-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xflllll.exe upx behavioral2/memory/4164-104-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\9hnnnt.exe upx behavioral2/memory/4420-110-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\1djjj.exe upx behavioral2/memory/3172-124-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bthhhn.exe upx behavioral2/memory/2984-128-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bnhhbb.exe upx C:\xrllrrr.exe upx behavioral2/memory/2984-135-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7nbttt.exe upx behavioral2/memory/792-144-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\lxfflxl.exe upx behavioral2/memory/2288-148-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nbbnnh.exe upx C:\7vdvp.exe upx behavioral2/memory/4816-154-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nbhhhh.exe upx behavioral2/memory/4324-163-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hnnhbb.exe upx behavioral2/memory/5080-171-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\dvppj.exe upx C:\1lrlxxl.exe upx behavioral2/memory/4964-177-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jdddp.exe upx behavioral2/memory/1952-193-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1076-195-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/744-201-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2108-206-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exetnnhhh.exehntttb.exe9dddj.exerlxxrxx.exelxlflrr.exe3hntbh.exexxxrrfx.exefxxfxll.exexlrxffl.exehthhhn.exeflrrrrr.exehntttb.exejjdjj.exelxlrrxl.exevvjdd.exefxllrrf.exetntttb.exexflllll.exe9hnnnt.exe1djjj.exebthhhn.exedescription pid process target process PID 736 wrote to memory of 2272 736 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe tnnhhh.exe PID 736 wrote to memory of 2272 736 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe tnnhhh.exe PID 736 wrote to memory of 2272 736 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe tnnhhh.exe PID 2272 wrote to memory of 752 2272 tnnhhh.exe hntttb.exe PID 2272 wrote to memory of 752 2272 tnnhhh.exe hntttb.exe PID 2272 wrote to memory of 752 2272 tnnhhh.exe hntttb.exe PID 752 wrote to memory of 2128 752 hntttb.exe 9dddj.exe PID 752 wrote to memory of 2128 752 hntttb.exe 9dddj.exe PID 752 wrote to memory of 2128 752 hntttb.exe 9dddj.exe PID 2128 wrote to memory of 2324 2128 9dddj.exe rlxxrxx.exe PID 2128 wrote to memory of 2324 2128 9dddj.exe rlxxrxx.exe PID 2128 wrote to memory of 2324 2128 9dddj.exe rlxxrxx.exe PID 2324 wrote to memory of 2828 2324 rlxxrxx.exe lxlflrr.exe PID 2324 wrote to memory of 2828 2324 rlxxrxx.exe lxlflrr.exe PID 2324 wrote to memory of 2828 2324 rlxxrxx.exe lxlflrr.exe PID 2828 wrote to memory of 5056 2828 lxlflrr.exe 3hntbh.exe PID 2828 wrote to memory of 5056 2828 lxlflrr.exe 3hntbh.exe PID 2828 wrote to memory of 5056 2828 lxlflrr.exe 3hntbh.exe PID 5056 wrote to memory of 3400 5056 3hntbh.exe xxxrrfx.exe PID 5056 wrote to memory of 3400 5056 3hntbh.exe xxxrrfx.exe PID 5056 wrote to memory of 3400 5056 3hntbh.exe xxxrrfx.exe PID 3400 wrote to memory of 3688 3400 xxxrrfx.exe fxxfxll.exe PID 3400 wrote to memory of 3688 3400 xxxrrfx.exe fxxfxll.exe PID 3400 wrote to memory of 3688 3400 xxxrrfx.exe fxxfxll.exe PID 3688 wrote to memory of 1980 3688 fxxfxll.exe xlrxffl.exe PID 3688 wrote to memory of 1980 3688 fxxfxll.exe xlrxffl.exe PID 3688 wrote to memory of 1980 3688 fxxfxll.exe xlrxffl.exe PID 1980 wrote to memory of 4644 1980 xlrxffl.exe hthhhn.exe PID 1980 wrote to memory of 4644 1980 xlrxffl.exe hthhhn.exe PID 1980 wrote to memory of 4644 1980 xlrxffl.exe hthhhn.exe PID 4644 wrote to memory of 4452 4644 hthhhn.exe flrrrrr.exe PID 4644 wrote to memory of 4452 4644 hthhhn.exe flrrrrr.exe PID 4644 wrote to memory of 4452 4644 hthhhn.exe flrrrrr.exe PID 4452 wrote to memory of 1912 4452 flrrrrr.exe hntttb.exe PID 4452 wrote to memory of 1912 4452 flrrrrr.exe hntttb.exe PID 4452 wrote to memory of 1912 4452 flrrrrr.exe hntttb.exe PID 1912 wrote to memory of 3588 1912 hntttb.exe jjdjj.exe PID 1912 wrote to memory of 3588 1912 hntttb.exe jjdjj.exe PID 1912 wrote to memory of 3588 1912 hntttb.exe jjdjj.exe PID 3588 wrote to memory of 3152 3588 jjdjj.exe lxlrrxl.exe PID 3588 wrote to memory of 3152 3588 jjdjj.exe lxlrrxl.exe PID 3588 wrote to memory of 3152 3588 jjdjj.exe lxlrrxl.exe PID 3152 wrote to memory of 3296 3152 lxlrrxl.exe vvjdd.exe PID 3152 wrote to memory of 3296 3152 lxlrrxl.exe vvjdd.exe PID 3152 wrote to memory of 3296 3152 lxlrrxl.exe vvjdd.exe PID 3296 wrote to memory of 2880 3296 vvjdd.exe fxllrrf.exe PID 3296 wrote to memory of 2880 3296 vvjdd.exe fxllrrf.exe PID 3296 wrote to memory of 2880 3296 vvjdd.exe fxllrrf.exe PID 2880 wrote to memory of 4164 2880 fxllrrf.exe tntttb.exe PID 2880 wrote to memory of 4164 2880 fxllrrf.exe tntttb.exe PID 2880 wrote to memory of 4164 2880 fxllrrf.exe tntttb.exe PID 4164 wrote to memory of 4420 4164 tntttb.exe xflllll.exe PID 4164 wrote to memory of 4420 4164 tntttb.exe xflllll.exe PID 4164 wrote to memory of 4420 4164 tntttb.exe xflllll.exe PID 4420 wrote to memory of 3240 4420 xflllll.exe 9hnnnt.exe PID 4420 wrote to memory of 3240 4420 xflllll.exe 9hnnnt.exe PID 4420 wrote to memory of 3240 4420 xflllll.exe 9hnnnt.exe PID 3240 wrote to memory of 3172 3240 9hnnnt.exe 1djjj.exe PID 3240 wrote to memory of 3172 3240 9hnnnt.exe 1djjj.exe PID 3240 wrote to memory of 3172 3240 9hnnnt.exe 1djjj.exe PID 3172 wrote to memory of 1840 3172 1djjj.exe bthhhn.exe PID 3172 wrote to memory of 1840 3172 1djjj.exe bthhhn.exe PID 3172 wrote to memory of 1840 3172 1djjj.exe bthhhn.exe PID 1840 wrote to memory of 2984 1840 bthhhn.exe bnhhbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\tnnhhh.exec:\tnnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\hntttb.exec:\hntttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\9dddj.exec:\9dddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\rlxxrxx.exec:\rlxxrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\lxlflrr.exec:\lxlflrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\3hntbh.exec:\3hntbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\xxxrrfx.exec:\xxxrrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\fxxfxll.exec:\fxxfxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\xlrxffl.exec:\xlrxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\hthhhn.exec:\hthhhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\flrrrrr.exec:\flrrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\hntttb.exec:\hntttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\jjdjj.exec:\jjdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\lxlrrxl.exec:\lxlrrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\vvjdd.exec:\vvjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\fxllrrf.exec:\fxllrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\tntttb.exec:\tntttb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xflllll.exec:\xflllll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\9hnnnt.exec:\9hnnnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\1djjj.exec:\1djjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\bthhhn.exec:\bthhhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\bnhhbb.exec:\bnhhbb.exe23⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrllrrr.exec:\xrllrrr.exe24⤵
- Executes dropped EXE
PID:4444 -
\??\c:\7nbttt.exec:\7nbttt.exe25⤵
- Executes dropped EXE
PID:792 -
\??\c:\lxfflxl.exec:\lxfflxl.exe26⤵
- Executes dropped EXE
PID:2288 -
\??\c:\nbbnnh.exec:\nbbnnh.exe27⤵
- Executes dropped EXE
PID:4816 -
\??\c:\7vdvp.exec:\7vdvp.exe28⤵
- Executes dropped EXE
PID:4324 -
\??\c:\nbhhhh.exec:\nbhhhh.exe29⤵
- Executes dropped EXE
PID:4256 -
\??\c:\hnnhbb.exec:\hnnhbb.exe30⤵
- Executes dropped EXE
PID:5080 -
\??\c:\dvppj.exec:\dvppj.exe31⤵
- Executes dropped EXE
PID:4964 -
\??\c:\1lrlxxl.exec:\1lrlxxl.exe32⤵
- Executes dropped EXE
PID:2100 -
\??\c:\jdddp.exec:\jdddp.exe33⤵
- Executes dropped EXE
PID:4648 -
\??\c:\pppjv.exec:\pppjv.exe34⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rfxrlxr.exec:\rfxrlxr.exe35⤵
- Executes dropped EXE
PID:1076 -
\??\c:\tntnbt.exec:\tntnbt.exe36⤵
- Executes dropped EXE
PID:744 -
\??\c:\dppjd.exec:\dppjd.exe37⤵
- Executes dropped EXE
PID:4252 -
\??\c:\vpvpd.exec:\vpvpd.exe38⤵
- Executes dropped EXE
PID:2108 -
\??\c:\fxllffx.exec:\fxllffx.exe39⤵
- Executes dropped EXE
PID:1204 -
\??\c:\jvdvv.exec:\jvdvv.exe40⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jvjjj.exec:\jvjjj.exe41⤵
- Executes dropped EXE
PID:2272 -
\??\c:\1rfxflx.exec:\1rfxflx.exe42⤵
- Executes dropped EXE
PID:208 -
\??\c:\hhnntb.exec:\hhnntb.exe43⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nttnhh.exec:\nttnhh.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\djppp.exec:\djppp.exe45⤵
- Executes dropped EXE
PID:5024 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe46⤵
- Executes dropped EXE
PID:404 -
\??\c:\fxrrlrl.exec:\fxrrlrl.exe47⤵
- Executes dropped EXE
PID:2828 -
\??\c:\9nnhhh.exec:\9nnhhh.exe48⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vjdvd.exec:\vjdvd.exe49⤵
- Executes dropped EXE
PID:4024 -
\??\c:\9jdvp.exec:\9jdvp.exe50⤵
- Executes dropped EXE
PID:2856 -
\??\c:\rllfxxx.exec:\rllfxxx.exe51⤵
- Executes dropped EXE
PID:1780 -
\??\c:\bnnhbt.exec:\bnnhbt.exe52⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3ddjd.exec:\3ddjd.exe53⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xlllrlr.exec:\xlllrlr.exe54⤵
- Executes dropped EXE
PID:3088 -
\??\c:\nbnhbh.exec:\nbnhbh.exe55⤵
- Executes dropped EXE
PID:4660 -
\??\c:\dddpd.exec:\dddpd.exe56⤵
- Executes dropped EXE
PID:1124 -
\??\c:\xxlrffl.exec:\xxlrffl.exe57⤵
- Executes dropped EXE
PID:1776 -
\??\c:\1hnhbb.exec:\1hnhbb.exe58⤵
- Executes dropped EXE
PID:3860 -
\??\c:\7bhbbt.exec:\7bhbbt.exe59⤵
- Executes dropped EXE
PID:1824 -
\??\c:\dvjdv.exec:\dvjdv.exe60⤵
- Executes dropped EXE
PID:3296 -
\??\c:\fxxxrll.exec:\fxxxrll.exe61⤵
- Executes dropped EXE
PID:2552 -
\??\c:\thhbtt.exec:\thhbtt.exe62⤵
- Executes dropped EXE
PID:3788 -
\??\c:\pdjjd.exec:\pdjjd.exe63⤵
- Executes dropped EXE
PID:4936 -
\??\c:\7djjp.exec:\7djjp.exe64⤵
- Executes dropped EXE
PID:4420 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe65⤵
- Executes dropped EXE
PID:3240 -
\??\c:\bbnhbb.exec:\bbnhbb.exe66⤵PID:4944
-
\??\c:\tnnhtt.exec:\tnnhtt.exe67⤵PID:4328
-
\??\c:\jpjdv.exec:\jpjdv.exe68⤵PID:3664
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe69⤵PID:3364
-
\??\c:\xrrflxr.exec:\xrrflxr.exe70⤵PID:3108
-
\??\c:\bnhnhh.exec:\bnhnhh.exe71⤵PID:1104
-
\??\c:\tbhbtt.exec:\tbhbtt.exe72⤵PID:792
-
\??\c:\jpppd.exec:\jpppd.exe73⤵PID:5040
-
\??\c:\lxxlxrr.exec:\lxxlxrr.exe74⤵PID:4004
-
\??\c:\hnnhbb.exec:\hnnhbb.exe75⤵PID:2728
-
\??\c:\3pjjv.exec:\3pjjv.exe76⤵PID:3488
-
\??\c:\xflllfr.exec:\xflllfr.exe77⤵PID:4256
-
\??\c:\htttnn.exec:\htttnn.exe78⤵PID:3580
-
\??\c:\7nnnnn.exec:\7nnnnn.exe79⤵PID:2976
-
\??\c:\jdpjd.exec:\jdpjd.exe80⤵PID:3052
-
\??\c:\pvjjd.exec:\pvjjd.exe81⤵PID:1244
-
\??\c:\9xxxllf.exec:\9xxxllf.exe82⤵PID:1408
-
\??\c:\ttnhtt.exec:\ttnhtt.exe83⤵PID:1952
-
\??\c:\jjddp.exec:\jjddp.exe84⤵PID:700
-
\??\c:\lrffrrr.exec:\lrffrrr.exe85⤵PID:3212
-
\??\c:\llrflxr.exec:\llrflxr.exe86⤵PID:5088
-
\??\c:\tnnhbt.exec:\tnnhbt.exe87⤵PID:2832
-
\??\c:\hntnbh.exec:\hntnbh.exe88⤵PID:1312
-
\??\c:\ddjdd.exec:\ddjdd.exe89⤵PID:1280
-
\??\c:\frrlfrl.exec:\frrlfrl.exe90⤵PID:4208
-
\??\c:\ttttbb.exec:\ttttbb.exe91⤵PID:2196
-
\??\c:\dpvpd.exec:\dpvpd.exe92⤵PID:2860
-
\??\c:\jvvpj.exec:\jvvpj.exe93⤵PID:2612
-
\??\c:\rflfxxr.exec:\rflfxxr.exe94⤵PID:2912
-
\??\c:\nhttnh.exec:\nhttnh.exe95⤵PID:1812
-
\??\c:\1dvpp.exec:\1dvpp.exe96⤵PID:2396
-
\??\c:\1vdpj.exec:\1vdpj.exe97⤵PID:880
-
\??\c:\flrlxxr.exec:\flrlxxr.exe98⤵PID:2856
-
\??\c:\xllffff.exec:\xllffff.exe99⤵PID:1780
-
\??\c:\5bbnhh.exec:\5bbnhh.exe100⤵PID:3692
-
\??\c:\3nbttt.exec:\3nbttt.exe101⤵PID:2220
-
\??\c:\jpvvp.exec:\jpvvp.exe102⤵PID:1912
-
\??\c:\ffxrxxf.exec:\ffxrxxf.exe103⤵PID:2540
-
\??\c:\5rxrrxx.exec:\5rxrrxx.exe104⤵PID:3096
-
\??\c:\tnhnhh.exec:\tnhnhh.exe105⤵PID:2764
-
\??\c:\pjvjd.exec:\pjvjd.exe106⤵PID:5032
-
\??\c:\vvpjj.exec:\vvpjj.exe107⤵PID:5084
-
\??\c:\1lrlxxr.exec:\1lrlxxr.exe108⤵PID:4920
-
\??\c:\rllfxxl.exec:\rllfxxl.exe109⤵PID:1000
-
\??\c:\nbttnt.exec:\nbttnt.exe110⤵PID:3668
-
\??\c:\nbbtnh.exec:\nbbtnh.exe111⤵PID:1748
-
\??\c:\vvpjd.exec:\vvpjd.exe112⤵PID:3764
-
\??\c:\fffxxxx.exec:\fffxxxx.exe113⤵PID:3600
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe114⤵PID:1104
-
\??\c:\btbthn.exec:\btbthn.exe115⤵PID:1032
-
\??\c:\pdpjd.exec:\pdpjd.exe116⤵PID:5040
-
\??\c:\rlrrrrl.exec:\rlrrrrl.exe117⤵PID:3996
-
\??\c:\flrfxxr.exec:\flrfxxr.exe118⤵PID:5096
-
\??\c:\nhttnn.exec:\nhttnn.exe119⤵PID:2524
-
\??\c:\nbbtnh.exec:\nbbtnh.exe120⤵PID:4832
-
\??\c:\vdpjd.exec:\vdpjd.exe121⤵PID:4028
-
\??\c:\5ffxxxf.exec:\5ffxxxf.exe122⤵PID:1136
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe123⤵PID:3456
-
\??\c:\ttttnn.exec:\ttttnn.exe124⤵PID:2100
-
\??\c:\jdvpd.exec:\jdvpd.exe125⤵PID:1728
-
\??\c:\vdjdp.exec:\vdjdp.exe126⤵PID:1076
-
\??\c:\lrlxrff.exec:\lrlxrff.exe127⤵PID:3276
-
\??\c:\bthhnh.exec:\bthhnh.exe128⤵PID:4304
-
\??\c:\nbbtbt.exec:\nbbtbt.exe129⤵PID:1216
-
\??\c:\jpvpp.exec:\jpvpp.exe130⤵PID:2428
-
\??\c:\lflfrll.exec:\lflfrll.exe131⤵PID:436
-
\??\c:\xrxlffx.exec:\xrxlffx.exe132⤵PID:688
-
\??\c:\vdddv.exec:\vdddv.exe133⤵PID:4388
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe134⤵PID:4784
-
\??\c:\xllfxxr.exec:\xllfxxr.exe135⤵PID:4496
-
\??\c:\thnhnh.exec:\thnhnh.exe136⤵PID:5024
-
\??\c:\pjppd.exec:\pjppd.exe137⤵PID:2488
-
\??\c:\jpppd.exec:\jpppd.exe138⤵PID:4632
-
\??\c:\dvdpj.exec:\dvdpj.exe139⤵PID:1812
-
\??\c:\lxlfxrr.exec:\lxlfxrr.exe140⤵PID:4024
-
\??\c:\lrrrffx.exec:\lrrrffx.exe141⤵PID:916
-
\??\c:\9hnhhh.exec:\9hnhhh.exe142⤵PID:2536
-
\??\c:\9jjdp.exec:\9jjdp.exe143⤵PID:1640
-
\??\c:\frxlffx.exec:\frxlffx.exe144⤵PID:3132
-
\??\c:\tnnhbb.exec:\tnnhbb.exe145⤵PID:1124
-
\??\c:\hbbbth.exec:\hbbbth.exe146⤵PID:3152
-
\??\c:\jdvpd.exec:\jdvpd.exe147⤵PID:3244
-
\??\c:\lfxrxlx.exec:\lfxrxlx.exe148⤵PID:4428
-
\??\c:\5xlfxxr.exec:\5xlfxxr.exe149⤵PID:704
-
\??\c:\nnnnnt.exec:\nnnnnt.exe150⤵PID:1656
-
\??\c:\ddvpj.exec:\ddvpj.exe151⤵PID:3564
-
\??\c:\jddvp.exec:\jddvp.exe152⤵PID:4220
-
\??\c:\flrrrff.exec:\flrrrff.exe153⤵PID:1920
-
\??\c:\htbtnb.exec:\htbtnb.exe154⤵PID:1008
-
\??\c:\9vvvp.exec:\9vvvp.exe155⤵PID:2288
-
\??\c:\pvppj.exec:\pvppj.exe156⤵PID:1760
-
\??\c:\5rrlxxx.exec:\5rrlxxx.exe157⤵PID:4424
-
\??\c:\xlrlfll.exec:\xlrlfll.exe158⤵PID:1936
-
\??\c:\tbtnnh.exec:\tbtnnh.exe159⤵PID:540
-
\??\c:\vpjvj.exec:\vpjvj.exe160⤵PID:5080
-
\??\c:\rxxlfxr.exec:\rxxlfxr.exe161⤵PID:1960
-
\??\c:\frrrlll.exec:\frrrlll.exe162⤵PID:4952
-
\??\c:\7hnhhh.exec:\7hnhhh.exe163⤵PID:2756
-
\??\c:\nhhbbb.exec:\nhhbbb.exe164⤵PID:3572
-
\??\c:\vpvpj.exec:\vpvpj.exe165⤵PID:4648
-
\??\c:\1fllfll.exec:\1fllfll.exe166⤵PID:1300
-
\??\c:\3rxxxxx.exec:\3rxxxxx.exe167⤵PID:3776
-
\??\c:\7nnnhh.exec:\7nnnhh.exe168⤵PID:1172
-
\??\c:\vvddv.exec:\vvddv.exe169⤵PID:4320
-
\??\c:\jvdpj.exec:\jvdpj.exe170⤵PID:3888
-
\??\c:\ffffxxr.exec:\ffffxxr.exe171⤵PID:3808
-
\??\c:\lrllrxx.exec:\lrllrxx.exe172⤵PID:2272
-
\??\c:\bbnnhh.exec:\bbnnhh.exe173⤵PID:2196
-
\??\c:\dddvv.exec:\dddvv.exe174⤵PID:1416
-
\??\c:\jdpjp.exec:\jdpjp.exe175⤵PID:4496
-
\??\c:\lxffxff.exec:\lxffxff.exe176⤵PID:4996
-
\??\c:\bhbtbh.exec:\bhbtbh.exe177⤵PID:2488
-
\??\c:\tnhhbh.exec:\tnhhbh.exe178⤵PID:4464
-
\??\c:\ddjdv.exec:\ddjdv.exe179⤵PID:880
-
\??\c:\lxxxxxx.exec:\lxxxxxx.exe180⤵PID:2940
-
\??\c:\rffxxxx.exec:\rffxxxx.exe181⤵PID:916
-
\??\c:\3ntthh.exec:\3ntthh.exe182⤵PID:2536
-
\??\c:\tbnhhh.exec:\tbnhhh.exe183⤵PID:4244
-
\??\c:\vvddv.exec:\vvddv.exe184⤵PID:3132
-
\??\c:\rllfffl.exec:\rllfffl.exe185⤵PID:4440
-
\??\c:\bbnntb.exec:\bbnntb.exe186⤵PID:2540
-
\??\c:\bbntnn.exec:\bbntnn.exe187⤵PID:3244
-
\??\c:\flrxrll.exec:\flrxrll.exe188⤵PID:4300
-
\??\c:\xlrrrll.exec:\xlrrrll.exe189⤵PID:704
-
\??\c:\nhnnhh.exec:\nhnnhh.exe190⤵PID:5012
-
\??\c:\vjpjv.exec:\vjpjv.exe191⤵PID:3664
-
\??\c:\ddpjd.exec:\ddpjd.exe192⤵PID:3108
-
\??\c:\xfffxfx.exec:\xfffxfx.exe193⤵PID:3496
-
\??\c:\nhhbbb.exec:\nhhbbb.exe194⤵PID:2556
-
\??\c:\thtttn.exec:\thtttn.exe195⤵PID:1032
-
\??\c:\jdjpd.exec:\jdjpd.exe196⤵PID:388
-
\??\c:\rrlffff.exec:\rrlffff.exe197⤵PID:4424
-
\??\c:\nhnttt.exec:\nhnttt.exe198⤵PID:3208
-
\??\c:\bbbbnn.exec:\bbbbnn.exe199⤵PID:3580
-
\??\c:\vppjd.exec:\vppjd.exe200⤵PID:3164
-
\??\c:\pjppj.exec:\pjppj.exe201⤵PID:4028
-
\??\c:\frlfrrl.exec:\frlfrrl.exe202⤵PID:4964
-
\??\c:\3thbth.exec:\3thbth.exe203⤵PID:4664
-
\??\c:\1ttttb.exec:\1ttttb.exe204⤵PID:2852
-
\??\c:\jdpjj.exec:\jdpjj.exe205⤵PID:1020
-
\??\c:\fxxrlrf.exec:\fxxrlrf.exe206⤵PID:3776
-
\??\c:\xfxrlxr.exec:\xfxrlxr.exe207⤵PID:2104
-
\??\c:\btnhbb.exec:\btnhbb.exe208⤵PID:4508
-
\??\c:\3ddvp.exec:\3ddvp.exe209⤵PID:1216
-
\??\c:\dvdpv.exec:\dvdpv.exe210⤵PID:736
-
\??\c:\xrrrlll.exec:\xrrrlll.exe211⤵PID:1584
-
\??\c:\lfrllxr.exec:\lfrllxr.exe212⤵PID:4388
-
\??\c:\thnnhh.exec:\thnnhh.exe213⤵PID:4100
-
\??\c:\1dvjd.exec:\1dvjd.exe214⤵PID:1240
-
\??\c:\7jpjd.exec:\7jpjd.exe215⤵PID:404
-
\??\c:\fxlflff.exec:\fxlflff.exe216⤵PID:1916
-
\??\c:\xrlrrll.exec:\xrlrrll.exe217⤵PID:1700
-
\??\c:\nhhbbt.exec:\nhhbbt.exe218⤵PID:1980
-
\??\c:\vpjpp.exec:\vpjpp.exe219⤵PID:880
-
\??\c:\pjpjv.exec:\pjpjv.exe220⤵PID:2940
-
\??\c:\fllxrrr.exec:\fllxrrr.exe221⤵PID:4644
-
\??\c:\5ttnnn.exec:\5ttnnn.exe222⤵PID:1868
-
\??\c:\hthhhb.exec:\hthhhb.exe223⤵PID:4244
-
\??\c:\jddvv.exec:\jddvv.exe224⤵PID:3132
-
\??\c:\llllfff.exec:\llllfff.exe225⤵PID:4440
-
\??\c:\nhhnnh.exec:\nhhnnh.exe226⤵PID:5108
-
\??\c:\hbnhnt.exec:\hbnhnt.exe227⤵PID:452
-
\??\c:\7pjjd.exec:\7pjjd.exe228⤵PID:4392
-
\??\c:\dvjdv.exec:\dvjdv.exe229⤵PID:704
-
\??\c:\lxfxfxf.exec:\lxfxfxf.exe230⤵PID:5012
-
\??\c:\nbhbbt.exec:\nbhbbt.exe231⤵PID:4220
-
\??\c:\pvpdv.exec:\pvpdv.exe232⤵PID:3156
-
\??\c:\vpdpj.exec:\vpdpj.exe233⤵PID:2304
-
\??\c:\1rxrrlf.exec:\1rxrrlf.exe234⤵PID:2836
-
\??\c:\hbthbb.exec:\hbthbb.exe235⤵PID:1032
-
\??\c:\bntthh.exec:\bntthh.exe236⤵PID:388
-
\??\c:\jpjdd.exec:\jpjdd.exe237⤵PID:4284
-
\??\c:\rrfrlfr.exec:\rrfrlfr.exe238⤵PID:3464
-
\??\c:\ntbttt.exec:\ntbttt.exe239⤵PID:3912
-
\??\c:\nhhhhh.exec:\nhhhhh.exe240⤵PID:1136
-
\??\c:\vjjdd.exec:\vjjdd.exe241⤵PID:3572
-
\??\c:\ffxrllf.exec:\ffxrllf.exe242⤵PID:3756