Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 15:51
Behavioral task
behavioral1
Sample
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe
-
Size
192KB
-
MD5
77b7c6a02c79ab73015e4d28c4905590
-
SHA1
e22c4ce2d464e1c6c983290bfa11974ec4cc492f
-
SHA256
0c06351ce37fd6aca129a115294fd79bee5e976a9428825950fcad33f26ac2b1
-
SHA512
6ba024876fc86a4a8fbc4bd5084fce06af20e68acd1a190e624d2961145da9b8d1b2ae0a1800932502bb863d771993b6eb3fe537088dada5d7230643683ac5ef
-
SSDEEP
3072:FhOmTsF93UYfwC6GIoutrVCfMoh52waAyiJ8mqtbfUVKty16hDsI/tSvm:Fcm4FmowdHoS8fMoSVAHubPtyYxfT
Malware Config
Signatures
-
Detect Blackmoon payload 46 IoCs
Processes:
resource yara_rule behavioral1/memory/1240-8-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2756-19-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2252-27-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2584-37-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2656-39-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2624-57-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2404-73-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2440-82-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2988-93-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3012-129-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2088-208-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1784-243-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2360-285-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2144-328-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2488-417-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1572-457-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/336-496-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1808-477-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2748-384-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2144-321-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1308-539-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/628-301-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/972-274-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2228-240-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/652-225-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/560-200-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1556-179-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1308-578-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2776-164-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1692-139-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2036-592-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2844-112-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2840-102-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2560-91-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1336-654-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2400-686-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2964-705-0x0000000000230000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2844-706-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1628-713-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1892-745-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3064-783-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2488-1007-0x0000000001B80000-0x0000000001BB6000-memory.dmp family_blackmoon behavioral1/memory/1672-1077-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/1324-1080-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/584-1091-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1740-1105-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\tthttb.exe family_berbew C:\1rlrffr.exe family_berbew C:\5frlrrx.exe family_berbew \??\c:\bbbthn.exe family_berbew C:\5btbht.exe family_berbew C:\9xrfflx.exe family_berbew C:\xxxfrxr.exe family_berbew \??\c:\jjdvj.exe family_berbew \??\c:\bhhhhb.exe family_berbew C:\dvvvj.exe family_berbew \??\c:\bhnhnt.exe family_berbew C:\jjjdp.exe family_berbew \??\c:\fxrrflr.exe family_berbew C:\nhhbhn.exe family_berbew \??\c:\3jjdj.exe family_berbew C:\ttthtb.exe family_berbew \??\c:\dvpvj.exe family_berbew C:\9tntbn.exe family_berbew \??\c:\bbnbnt.exe family_berbew \??\c:\ddjvv.exe family_berbew C:\5dpdv.exe family_berbew C:\nttnhh.exe family_berbew behavioral1/memory/1736-391-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew \??\c:\fxlxxxx.exe family_berbew \??\c:\pjddv.exe family_berbew \??\c:\rlxlxlx.exe family_berbew \??\c:\pppdj.exe family_berbew \??\c:\bbbthb.exe family_berbew \??\c:\xxxlflx.exe family_berbew \??\c:\bbtbhn.exe family_berbew \??\c:\5ntbhn.exe family_berbew \??\c:\5lxxllx.exe family_berbew \??\c:\dddjd.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
tthttb.exe1rlrffr.exe5frlrrx.exebbbthn.exe5btbht.exejjdvj.exe9xrfflx.exexxxfrxr.exebhhhhb.exedvvvj.exedddjd.exe5lxxllx.exe5ntbhn.exebhnhnt.exebbtbhn.exejjjdp.exexxxlflx.exefxrrflr.exebbbthb.exenhhbhn.exe3jjdj.exepppdj.exerlxlxlx.exettthtb.exepjddv.exedvpvj.exe9tntbn.exebbnbnt.exeddjvv.exe5dpdv.exefxlxxxx.exenttnhh.exe9jjpd.exevdjpv.exerfrffxx.exellxfrxl.exe5hbthn.exe7jjjv.exe7vpdp.exe7vpvj.exefffrxrf.exelfxlfrf.exebbhnbh.exehbbbhn.exehhttbh.exe1dppj.exevdjdd.exeflfrrxl.exellffflx.exenhbhht.exettthtb.exe1frflxl.exelfxrllr.exennbbnn.exehbnbhn.exeppjpd.exe3vjvd.exelrffrlx.exe5btnnh.exenhbhth.exeddvdp.exeddpvv.exerrlrfrx.exellrxflx.exepid process 2756 tthttb.exe 2252 1rlrffr.exe 2584 5frlrrx.exe 2656 bbbthn.exe 2448 5btbht.exe 2624 jjdvj.exe 2404 9xrfflx.exe 2440 xxxfrxr.exe 2560 bhhhhb.exe 2988 dvvvj.exe 2840 dddjd.exe 2844 5lxxllx.exe 1636 5ntbhn.exe 3012 bhnhnt.exe 1692 bbtbhn.exe 1672 jjjdp.exe 320 xxxlflx.exe 2776 fxrrflr.exe 1556 bbbthb.exe 2108 nhhbhn.exe 3064 3jjdj.exe 560 pppdj.exe 2088 rlxlxlx.exe 804 ttthtb.exe 652 pjddv.exe 2228 dvpvj.exe 1784 9tntbn.exe 1404 bbnbnt.exe 1716 ddjvv.exe 972 5dpdv.exe 2360 fxlxxxx.exe 1056 nttnhh.exe 628 9jjpd.exe 2336 vdjpv.exe 2296 rfrffxx.exe 1608 llxfrxl.exe 2144 5hbthn.exe 2120 7jjjv.exe 2548 7vpdp.exe 2664 7vpvj.exe 2572 fffrxrf.exe 2884 lfxlfrf.exe 2448 bbhnbh.exe 2608 hbbbhn.exe 2580 hhttbh.exe 2748 1dppj.exe 1736 vdjdd.exe 1916 flfrrxl.exe 2988 llffflx.exe 2840 nhbhht.exe 2488 ttthtb.exe 1896 1frflxl.exe 1588 lfxrllr.exe 2528 nnbbnn.exe 2328 hbnbhn.exe 1972 ppjpd.exe 2996 3vjvd.exe 1572 lrffrlx.exe 2820 5btnnh.exe 1808 nhbhth.exe 2904 ddvdp.exe 2260 ddpvv.exe 1536 rrlrfrx.exe 336 llrxflx.exe -
Processes:
resource yara_rule behavioral1/memory/1240-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1240-3-0x00000000003C0000-0x00000000003F6000-memory.dmp upx behavioral1/memory/1240-8-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2756-10-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tthttb.exe upx behavioral1/memory/2756-19-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\1rlrffr.exe upx C:\5frlrrx.exe upx behavioral1/memory/2252-27-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bbbthn.exe upx behavioral1/memory/2584-37-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2656-39-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\5btbht.exe upx behavioral1/memory/2624-57-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9xrfflx.exe upx behavioral1/memory/2404-73-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xxxfrxr.exe upx behavioral1/memory/2404-65-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\jjdvj.exe upx \??\c:\bhhhhb.exe upx behavioral1/memory/2440-82-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\dvvvj.exe upx behavioral1/memory/2988-93-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bhnhnt.exe upx behavioral1/memory/3012-129-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jjjdp.exe upx \??\c:\fxrrflr.exe upx C:\nhhbhn.exe upx \??\c:\3jjdj.exe upx behavioral1/memory/2108-189-0x00000000003C0000-0x00000000003F6000-memory.dmp upx behavioral1/memory/2088-208-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ttthtb.exe upx \??\c:\dvpvj.exe upx C:\9tntbn.exe upx behavioral1/memory/1784-243-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bbnbnt.exe upx \??\c:\ddjvv.exe upx C:\5dpdv.exe upx C:\nttnhh.exe upx behavioral1/memory/2360-285-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2336-302-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2144-328-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2664-341-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2988-398-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2488-417-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1588-424-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2996-450-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1572-457-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1808-470-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/336-496-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1808-477-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2748-384-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2144-321-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/628-301-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/628-294-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\fxlxxxx.exe upx behavioral1/memory/2360-276-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/972-274-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2928-552-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2228-240-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/652-225-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\pjddv.exe upx \??\c:\rlxlxlx.exe upx behavioral1/memory/560-200-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exetthttb.exe1rlrffr.exe5frlrrx.exebbbthn.exe5btbht.exejjdvj.exe9xrfflx.exexxxfrxr.exebhhhhb.exedvvvj.exedddjd.exe5lxxllx.exe5ntbhn.exebhnhnt.exebbtbhn.exedescription pid process target process PID 1240 wrote to memory of 2756 1240 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tthttb.exe PID 1240 wrote to memory of 2756 1240 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tthttb.exe PID 1240 wrote to memory of 2756 1240 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tthttb.exe PID 1240 wrote to memory of 2756 1240 77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe tthttb.exe PID 2756 wrote to memory of 2252 2756 tthttb.exe 1rlrffr.exe PID 2756 wrote to memory of 2252 2756 tthttb.exe 1rlrffr.exe PID 2756 wrote to memory of 2252 2756 tthttb.exe 1rlrffr.exe PID 2756 wrote to memory of 2252 2756 tthttb.exe 1rlrffr.exe PID 2252 wrote to memory of 2584 2252 1rlrffr.exe 1ttnnb.exe PID 2252 wrote to memory of 2584 2252 1rlrffr.exe 1ttnnb.exe PID 2252 wrote to memory of 2584 2252 1rlrffr.exe 1ttnnb.exe PID 2252 wrote to memory of 2584 2252 1rlrffr.exe 1ttnnb.exe PID 2584 wrote to memory of 2656 2584 5frlrrx.exe bbbthn.exe PID 2584 wrote to memory of 2656 2584 5frlrrx.exe bbbthn.exe PID 2584 wrote to memory of 2656 2584 5frlrrx.exe bbbthn.exe PID 2584 wrote to memory of 2656 2584 5frlrrx.exe bbbthn.exe PID 2656 wrote to memory of 2448 2656 bbbthn.exe nnbthh.exe PID 2656 wrote to memory of 2448 2656 bbbthn.exe nnbthh.exe PID 2656 wrote to memory of 2448 2656 bbbthn.exe nnbthh.exe PID 2656 wrote to memory of 2448 2656 bbbthn.exe nnbthh.exe PID 2448 wrote to memory of 2624 2448 5btbht.exe jjdvj.exe PID 2448 wrote to memory of 2624 2448 5btbht.exe jjdvj.exe PID 2448 wrote to memory of 2624 2448 5btbht.exe jjdvj.exe PID 2448 wrote to memory of 2624 2448 5btbht.exe jjdvj.exe PID 2624 wrote to memory of 2404 2624 jjdvj.exe 9xrfflx.exe PID 2624 wrote to memory of 2404 2624 jjdvj.exe 9xrfflx.exe PID 2624 wrote to memory of 2404 2624 jjdvj.exe 9xrfflx.exe PID 2624 wrote to memory of 2404 2624 jjdvj.exe 9xrfflx.exe PID 2404 wrote to memory of 2440 2404 9xrfflx.exe xxxfrxr.exe PID 2404 wrote to memory of 2440 2404 9xrfflx.exe xxxfrxr.exe PID 2404 wrote to memory of 2440 2404 9xrfflx.exe xxxfrxr.exe PID 2404 wrote to memory of 2440 2404 9xrfflx.exe xxxfrxr.exe PID 2440 wrote to memory of 2560 2440 xxxfrxr.exe rrlfflr.exe PID 2440 wrote to memory of 2560 2440 xxxfrxr.exe rrlfflr.exe PID 2440 wrote to memory of 2560 2440 xxxfrxr.exe rrlfflr.exe PID 2440 wrote to memory of 2560 2440 xxxfrxr.exe rrlfflr.exe PID 2560 wrote to memory of 2988 2560 bhhhhb.exe dvvvj.exe PID 2560 wrote to memory of 2988 2560 bhhhhb.exe dvvvj.exe PID 2560 wrote to memory of 2988 2560 bhhhhb.exe dvvvj.exe PID 2560 wrote to memory of 2988 2560 bhhhhb.exe dvvvj.exe PID 2988 wrote to memory of 2840 2988 dvvvj.exe nhbhht.exe PID 2988 wrote to memory of 2840 2988 dvvvj.exe nhbhht.exe PID 2988 wrote to memory of 2840 2988 dvvvj.exe nhbhht.exe PID 2988 wrote to memory of 2840 2988 dvvvj.exe nhbhht.exe PID 2840 wrote to memory of 2844 2840 dddjd.exe vpddp.exe PID 2840 wrote to memory of 2844 2840 dddjd.exe vpddp.exe PID 2840 wrote to memory of 2844 2840 dddjd.exe vpddp.exe PID 2840 wrote to memory of 2844 2840 dddjd.exe vpddp.exe PID 2844 wrote to memory of 1636 2844 5lxxllx.exe 5ntbhn.exe PID 2844 wrote to memory of 1636 2844 5lxxllx.exe 5ntbhn.exe PID 2844 wrote to memory of 1636 2844 5lxxllx.exe 5ntbhn.exe PID 2844 wrote to memory of 1636 2844 5lxxllx.exe 5ntbhn.exe PID 1636 wrote to memory of 3012 1636 5ntbhn.exe bhnhnt.exe PID 1636 wrote to memory of 3012 1636 5ntbhn.exe bhnhnt.exe PID 1636 wrote to memory of 3012 1636 5ntbhn.exe bhnhnt.exe PID 1636 wrote to memory of 3012 1636 5ntbhn.exe bhnhnt.exe PID 3012 wrote to memory of 1692 3012 bhnhnt.exe bbtbhn.exe PID 3012 wrote to memory of 1692 3012 bhnhnt.exe bbtbhn.exe PID 3012 wrote to memory of 1692 3012 bhnhnt.exe bbtbhn.exe PID 3012 wrote to memory of 1692 3012 bhnhnt.exe bbtbhn.exe PID 1692 wrote to memory of 1672 1692 bbtbhn.exe jjjdp.exe PID 1692 wrote to memory of 1672 1692 bbtbhn.exe jjjdp.exe PID 1692 wrote to memory of 1672 1692 bbtbhn.exe jjjdp.exe PID 1692 wrote to memory of 1672 1692 bbtbhn.exe jjjdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77b7c6a02c79ab73015e4d28c4905590_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\tthttb.exec:\tthttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\1rlrffr.exec:\1rlrffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\5frlrrx.exec:\5frlrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\bbbthn.exec:\bbbthn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5btbht.exec:\5btbht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\jjdvj.exec:\jjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\9xrfflx.exec:\9xrfflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\bhhhhb.exec:\bhhhhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\dvvvj.exec:\dvvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\dddjd.exec:\dddjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\5lxxllx.exec:\5lxxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\5ntbhn.exec:\5ntbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\bhnhnt.exec:\bhnhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\bbtbhn.exec:\bbtbhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\jjjdp.exec:\jjjdp.exe17⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xxxlflx.exec:\xxxlflx.exe18⤵
- Executes dropped EXE
PID:320 -
\??\c:\fxrrflr.exec:\fxrrflr.exe19⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bbbthb.exec:\bbbthb.exe20⤵
- Executes dropped EXE
PID:1556 -
\??\c:\nhhbhn.exec:\nhhbhn.exe21⤵
- Executes dropped EXE
PID:2108 -
\??\c:\3jjdj.exec:\3jjdj.exe22⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pppdj.exec:\pppdj.exe23⤵
- Executes dropped EXE
PID:560 -
\??\c:\rlxlxlx.exec:\rlxlxlx.exe24⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ttthtb.exec:\ttthtb.exe25⤵
- Executes dropped EXE
PID:804 -
\??\c:\pjddv.exec:\pjddv.exe26⤵
- Executes dropped EXE
PID:652 -
\??\c:\dvpvj.exec:\dvpvj.exe27⤵
- Executes dropped EXE
PID:2228 -
\??\c:\9tntbn.exec:\9tntbn.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\bbnbnt.exec:\bbnbnt.exe29⤵
- Executes dropped EXE
PID:1404 -
\??\c:\ddjvv.exec:\ddjvv.exe30⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5dpdv.exec:\5dpdv.exe31⤵
- Executes dropped EXE
PID:972 -
\??\c:\fxlxxxx.exec:\fxlxxxx.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nttnhh.exec:\nttnhh.exe33⤵
- Executes dropped EXE
PID:1056 -
\??\c:\9jjpd.exec:\9jjpd.exe34⤵
- Executes dropped EXE
PID:628 -
\??\c:\vdjpv.exec:\vdjpv.exe35⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rfrffxx.exec:\rfrffxx.exe36⤵
- Executes dropped EXE
PID:2296 -
\??\c:\llxfrxl.exec:\llxfrxl.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\5hbthn.exec:\5hbthn.exe38⤵
- Executes dropped EXE
PID:2144 -
\??\c:\7jjjv.exec:\7jjjv.exe39⤵
- Executes dropped EXE
PID:2120 -
\??\c:\7vpdp.exec:\7vpdp.exe40⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7vpvj.exec:\7vpvj.exe41⤵
- Executes dropped EXE
PID:2664 -
\??\c:\fffrxrf.exec:\fffrxrf.exe42⤵
- Executes dropped EXE
PID:2572 -
\??\c:\lfxlfrf.exec:\lfxlfrf.exe43⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bbhnbh.exec:\bbhnbh.exe44⤵
- Executes dropped EXE
PID:2448 -
\??\c:\hbbbhn.exec:\hbbbhn.exe45⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hhttbh.exec:\hhttbh.exe46⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1dppj.exec:\1dppj.exe47⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vdjdd.exec:\vdjdd.exe48⤵
- Executes dropped EXE
PID:1736 -
\??\c:\flfrrxl.exec:\flfrrxl.exe49⤵
- Executes dropped EXE
PID:1916 -
\??\c:\llffflx.exec:\llffflx.exe50⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nhbhht.exec:\nhbhht.exe51⤵
- Executes dropped EXE
PID:2840 -
\??\c:\ttthtb.exec:\ttthtb.exe52⤵
- Executes dropped EXE
PID:2488 -
\??\c:\1frflxl.exec:\1frflxl.exe53⤵
- Executes dropped EXE
PID:1896 -
\??\c:\lfxrllr.exec:\lfxrllr.exe54⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nnbbnn.exec:\nnbbnn.exe55⤵
- Executes dropped EXE
PID:2528 -
\??\c:\hbnbhn.exec:\hbnbhn.exe56⤵
- Executes dropped EXE
PID:2328 -
\??\c:\ppjpd.exec:\ppjpd.exe57⤵
- Executes dropped EXE
PID:1972 -
\??\c:\3vjvd.exec:\3vjvd.exe58⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lrffrlx.exec:\lrffrlx.exe59⤵
- Executes dropped EXE
PID:1572 -
\??\c:\5btnnh.exec:\5btnnh.exe60⤵
- Executes dropped EXE
PID:2820 -
\??\c:\nhbhth.exec:\nhbhth.exe61⤵
- Executes dropped EXE
PID:1808 -
\??\c:\ddvdp.exec:\ddvdp.exe62⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ddpvv.exec:\ddpvv.exe63⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rrlrfrx.exec:\rrlrfrx.exe64⤵
- Executes dropped EXE
PID:1536 -
\??\c:\llrxflx.exec:\llrxflx.exe65⤵
- Executes dropped EXE
PID:336 -
\??\c:\flxrlrl.exec:\flxrlrl.exe66⤵PID:1492
-
\??\c:\hbhbhb.exec:\hbhbhb.exe67⤵PID:1888
-
\??\c:\hbnhnn.exec:\hbnhnn.exe68⤵PID:652
-
\??\c:\vpjpv.exec:\vpjpv.exe69⤵PID:1780
-
\??\c:\3frxlrl.exec:\3frxlrl.exe70⤵PID:1776
-
\??\c:\xlxxffr.exec:\xlxxffr.exe71⤵PID:1308
-
\??\c:\lxlrxrl.exec:\lxlrxrl.exe72⤵PID:2916
-
\??\c:\7nhnht.exec:\7nhnht.exe73⤵PID:1040
-
\??\c:\5vpdp.exec:\5vpdp.exe74⤵PID:2928
-
\??\c:\9dvvd.exec:\9dvvd.exe75⤵PID:3036
-
\??\c:\1rllxfl.exec:\1rllxfl.exe76⤵PID:2284
-
\??\c:\5xrfxfx.exec:\5xrfxfx.exe77⤵PID:1512
-
\??\c:\1lxfrrl.exec:\1lxfrrl.exe78⤵PID:776
-
\??\c:\5bntbh.exec:\5bntbh.exe79⤵PID:2140
-
\??\c:\jjjdj.exec:\jjjdj.exe80⤵PID:2036
-
\??\c:\5vdjj.exec:\5vdjj.exe81⤵PID:916
-
\??\c:\rrllrlr.exec:\rrllrlr.exe82⤵PID:1300
-
\??\c:\fxrfffl.exec:\fxrfffl.exe83⤵PID:1336
-
\??\c:\rfrxfrf.exec:\rfrxfrf.exe84⤵PID:2532
-
\??\c:\1ttnnb.exec:\1ttnnb.exe85⤵PID:2584
-
\??\c:\jjjpv.exec:\jjjpv.exe86⤵PID:2668
-
\??\c:\vvjvp.exec:\vvjvp.exe87⤵PID:2740
-
\??\c:\rrfrlrf.exec:\rrfrlrf.exe88⤵PID:2380
-
\??\c:\nnbthh.exec:\nnbthh.exe89⤵PID:2448
-
\??\c:\bthtbt.exec:\bthtbt.exe90⤵PID:2724
-
\??\c:\7dpjj.exec:\7dpjj.exe91⤵PID:2436
-
\??\c:\5ddjv.exec:\5ddjv.exe92⤵PID:2800
-
\??\c:\rrlfflr.exec:\rrlfflr.exe93⤵PID:2560
-
\??\c:\xxlfflx.exec:\xxlfflx.exe94⤵PID:2400
-
\??\c:\tbnnhh.exec:\tbnnhh.exe95⤵PID:2876
-
\??\c:\tthhbn.exec:\tthhbn.exe96⤵PID:2964
-
\??\c:\vpddp.exec:\vpddp.exe97⤵PID:2844
-
\??\c:\pvdvp.exec:\pvdvp.exe98⤵PID:1628
-
\??\c:\7llllll.exec:\7llllll.exe99⤵PID:2124
-
\??\c:\bbhhth.exec:\bbhhth.exe100⤵PID:344
-
\??\c:\7btnhn.exec:\7btnhn.exe101⤵PID:2616
-
\??\c:\pppvv.exec:\pppvv.exe102⤵PID:2684
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe103⤵PID:1892
-
\??\c:\rrlrrfl.exec:\rrlrrfl.exe104⤵PID:2776
-
\??\c:\bhhnth.exec:\bhhnth.exe105⤵PID:1768
-
\??\c:\bbthtb.exec:\bbthtb.exe106⤵PID:2716
-
\??\c:\jvvvd.exec:\jvvvd.exe107⤵PID:2764
-
\??\c:\jjdjp.exec:\jjdjp.exe108⤵PID:2904
-
\??\c:\1lffrrf.exec:\1lffrrf.exe109⤵PID:3064
-
\??\c:\xlrxrll.exec:\xlrxrll.exe110⤵PID:1956
-
\??\c:\bntnnn.exec:\bntnnn.exe111⤵PID:2136
-
\??\c:\vvpvd.exec:\vvpvd.exe112⤵PID:1884
-
\??\c:\vpdjv.exec:\vpdjv.exe113⤵PID:2108
-
\??\c:\xxxlxfl.exec:\xxxlxfl.exe114⤵PID:2288
-
\??\c:\lxllrxx.exec:\lxllrxx.exe115⤵PID:1444
-
\??\c:\3hnnth.exec:\3hnnth.exe116⤵PID:2816
-
\??\c:\pjdpd.exec:\pjdpd.exe117⤵PID:540
-
\??\c:\vvpdv.exec:\vvpdv.exe118⤵PID:928
-
\??\c:\frfflrx.exec:\frfflrx.exe119⤵PID:580
-
\??\c:\vpjvj.exec:\vpjvj.exe120⤵PID:1520
-
\??\c:\lrxrlrr.exec:\lrxrlrr.exe121⤵PID:2264
-
\??\c:\lfrxffl.exec:\lfrxffl.exe122⤵PID:2284
-
\??\c:\hbhbtb.exec:\hbhbtb.exe123⤵PID:896
-
\??\c:\ppvpd.exec:\ppvpd.exe124⤵PID:2520
-
\??\c:\rlllrxx.exec:\rlllrxx.exe125⤵PID:2336
-
\??\c:\pdvvv.exec:\pdvvv.exe126⤵PID:2296
-
\??\c:\rllrxxx.exec:\rllrxxx.exe127⤵PID:1756
-
\??\c:\dvpdv.exec:\dvpdv.exe128⤵PID:2756
-
\??\c:\jdjjj.exec:\jdjjj.exe129⤵PID:1300
-
\??\c:\9nhtbn.exec:\9nhtbn.exe130⤵PID:1516
-
\??\c:\7tnntt.exec:\7tnntt.exe131⤵PID:2532
-
\??\c:\pjvdj.exec:\pjvdj.exe132⤵PID:2256
-
\??\c:\xxxrxxx.exec:\xxxrxxx.exe133⤵PID:2752
-
\??\c:\vdvvd.exec:\vdvvd.exe134⤵PID:2640
-
\??\c:\ppjpj.exec:\ppjpj.exe135⤵PID:2612
-
\??\c:\lrfxrlx.exec:\lrfxrlx.exe136⤵PID:2648
-
\??\c:\7nhnbh.exec:\7nhnbh.exe137⤵PID:2976
-
\??\c:\vppdp.exec:\vppdp.exe138⤵PID:2748
-
\??\c:\rlxlflx.exec:\rlxlflx.exe139⤵PID:2896
-
\??\c:\jjdjd.exec:\jjdjd.exe140⤵PID:2832
-
\??\c:\xxlrrxl.exec:\xxlrrxl.exe141⤵PID:2100
-
\??\c:\tbnbbb.exec:\tbnbbb.exe142⤵PID:2472
-
\??\c:\vpdpj.exec:\vpdpj.exe143⤵PID:2096
-
\??\c:\9flxrxf.exec:\9flxrxf.exe144⤵PID:2488
-
\??\c:\hhhtnt.exec:\hhhtnt.exe145⤵PID:3012
-
\??\c:\5pjpp.exec:\5pjpp.exe146⤵PID:2320
-
\??\c:\jdjdj.exec:\jdjdj.exe147⤵PID:1688
-
\??\c:\9bnbtb.exec:\9bnbtb.exe148⤵PID:2496
-
\??\c:\5bnbnb.exec:\5bnbnb.exe149⤵PID:1672
-
\??\c:\pvddp.exec:\pvddp.exe150⤵PID:1620
-
\??\c:\llrxrrx.exec:\llrxrrx.exe151⤵PID:2836
-
\??\c:\3nhthn.exec:\3nhthn.exe152⤵PID:1592
-
\??\c:\pjvdd.exec:\pjvdd.exe153⤵PID:2768
-
\??\c:\9frlrrr.exec:\9frlrrr.exe154⤵PID:2272
-
\??\c:\rlffrrx.exec:\rlffrrx.exe155⤵PID:2060
-
\??\c:\hbbbbh.exec:\hbbbbh.exe156⤵PID:1324
-
\??\c:\vpdpj.exec:\vpdpj.exe157⤵PID:780
-
\??\c:\dvpdp.exec:\dvpdp.exe158⤵PID:584
-
\??\c:\fflfrfx.exec:\fflfrfx.exe159⤵PID:1684
-
\??\c:\rrrrlff.exec:\rrrrlff.exe160⤵PID:1740
-
\??\c:\7bnhtn.exec:\7bnhtn.exe161⤵PID:1968
-
\??\c:\9lfrxfr.exec:\9lfrxfr.exe162⤵PID:2540
-
\??\c:\tththt.exec:\tththt.exe163⤵PID:1112
-
\??\c:\hthntb.exec:\hthntb.exe164⤵PID:1044
-
\??\c:\jppvv.exec:\jppvv.exe165⤵PID:1436
-
\??\c:\thbnbh.exec:\thbnbh.exe166⤵PID:972
-
\??\c:\3hbhnt.exec:\3hbhnt.exe167⤵PID:572
-
\??\c:\1dvjd.exec:\1dvjd.exe168⤵PID:2084
-
\??\c:\pjvjv.exec:\pjvjv.exe169⤵PID:3000
-
\??\c:\llxrxfr.exec:\llxrxfr.exe170⤵PID:2012
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe171⤵PID:1660
-
\??\c:\5hbbtb.exec:\5hbbtb.exe172⤵PID:912
-
\??\c:\hhtntb.exec:\hhtntb.exe173⤵PID:1608
-
\??\c:\jpppd.exec:\jpppd.exe174⤵PID:1724
-
\??\c:\rlxxflf.exec:\rlxxflf.exe175⤵PID:2144
-
\??\c:\7lfrfrf.exec:\7lfrfrf.exe176⤵PID:2188
-
\??\c:\5bttht.exec:\5bttht.exe177⤵PID:1028
-
\??\c:\nhnbth.exec:\nhnbth.exe178⤵PID:2660
-
\??\c:\jdvdp.exec:\jdvdp.exe179⤵PID:2652
-
\??\c:\lfxxlxl.exec:\lfxxlxl.exe180⤵PID:2196
-
\??\c:\7lllxxf.exec:\7lllxxf.exe181⤵PID:2604
-
\??\c:\btbhth.exec:\btbhth.exe182⤵PID:2552
-
\??\c:\dvjdd.exec:\dvjdd.exe183⤵PID:2888
-
\??\c:\dvpdd.exec:\dvpdd.exe184⤵PID:2724
-
\??\c:\7fxllrx.exec:\7fxllrx.exe185⤵PID:2976
-
\??\c:\rllflxf.exec:\rllflxf.exe186⤵PID:2516
-
\??\c:\tnbbbt.exec:\tnbbbt.exe187⤵PID:2896
-
\??\c:\pjjjp.exec:\pjjjp.exe188⤵PID:2860
-
\??\c:\vppdp.exec:\vppdp.exe189⤵PID:2100
-
\??\c:\5rlrfrf.exec:\5rlrfrf.exe190⤵PID:2712
-
\??\c:\5lllllr.exec:\5lllllr.exe191⤵PID:2840
-
\??\c:\bbhnbh.exec:\bbhnbh.exe192⤵PID:1636
-
\??\c:\ttbtth.exec:\ttbtth.exe193⤵PID:1628
-
\??\c:\jjpjp.exec:\jjpjp.exe194⤵PID:1588
-
\??\c:\pjvdj.exec:\pjvdj.exe195⤵PID:344
-
\??\c:\frffflx.exec:\frffflx.exe196⤵PID:2328
-
\??\c:\ttntbh.exec:\ttntbh.exe197⤵PID:2700
-
\??\c:\hbntbb.exec:\hbntbb.exe198⤵PID:644
-
\??\c:\3vpvj.exec:\3vpvj.exe199⤵PID:1748
-
\??\c:\3vjpj.exec:\3vjpj.exe200⤵PID:1960
-
\??\c:\5fxxxlx.exec:\5fxxxlx.exe201⤵PID:1192
-
\??\c:\rfllfxf.exec:\rfllfxf.exe202⤵PID:1900
-
\??\c:\hhbnhn.exec:\hhbnhn.exe203⤵PID:2940
-
\??\c:\nhthnn.exec:\nhthnn.exe204⤵PID:1508
-
\??\c:\dddjj.exec:\dddjj.exe205⤵PID:956
-
\??\c:\jdpvv.exec:\jdpvv.exe206⤵PID:2772
-
\??\c:\xxfrffr.exec:\xxfrffr.exe207⤵PID:852
-
\??\c:\rlrxxxl.exec:\rlrxxxl.exe208⤵PID:652
-
\??\c:\5nhthn.exec:\5nhthn.exe209⤵PID:2024
-
\??\c:\dpjjv.exec:\dpjjv.exe210⤵PID:1364
-
\??\c:\jvdjj.exec:\jvdjj.exe211⤵PID:1976
-
\??\c:\xrflxlf.exec:\xrflxlf.exe212⤵PID:2424
-
\??\c:\fxrxrxf.exec:\fxrxrxf.exe213⤵PID:2044
-
\??\c:\1nhbnt.exec:\1nhbnt.exe214⤵PID:1048
-
\??\c:\nnnnbb.exec:\nnnnbb.exe215⤵PID:1404
-
\??\c:\7vjvd.exec:\7vjvd.exe216⤵PID:1704
-
\??\c:\xrlxllf.exec:\xrlxllf.exe217⤵PID:884
-
\??\c:\xrlrflx.exec:\xrlrflx.exe218⤵PID:1792
-
\??\c:\btntbh.exec:\btntbh.exe219⤵PID:628
-
\??\c:\hhntbb.exec:\hhntbb.exe220⤵PID:1004
-
\??\c:\pjdjd.exec:\pjdjd.exe221⤵PID:2164
-
\??\c:\9vvjv.exec:\9vvjv.exe222⤵PID:1668
-
\??\c:\xlfxllr.exec:\xlfxllr.exe223⤵PID:2148
-
\??\c:\7lrxllx.exec:\7lrxllx.exe224⤵PID:916
-
\??\c:\btnhth.exec:\btnhth.exe225⤵PID:1336
-
\??\c:\hhbtnt.exec:\hhbtnt.exe226⤵PID:1304
-
\??\c:\jjjjv.exec:\jjjjv.exe227⤵PID:2152
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe228⤵PID:2656
-
\??\c:\rrlrxlr.exec:\rrlrxlr.exe229⤵PID:2884
-
\??\c:\hthbhh.exec:\hthbhh.exe230⤵PID:2492
-
\??\c:\5hntbt.exec:\5hntbt.exe231⤵PID:2592
-
\??\c:\pjdjp.exec:\pjdjp.exe232⤵PID:2452
-
\??\c:\vppvd.exec:\vppvd.exe233⤵PID:2984
-
\??\c:\lfrllfl.exec:\lfrllfl.exe234⤵PID:2440
-
\??\c:\7llrfff.exec:\7llrfff.exe235⤵PID:2748
-
\??\c:\thtnnb.exec:\thtnnb.exe236⤵PID:2560
-
\??\c:\dvdpv.exec:\dvdpv.exe237⤵PID:2400
-
\??\c:\ppjjv.exec:\ppjjv.exe238⤵PID:2628
-
\??\c:\lflrxfr.exec:\lflrxfr.exe239⤵PID:2472
-
\??\c:\ffrfllx.exec:\ffrfllx.exe240⤵PID:2712
-
\??\c:\tthntt.exec:\tthntt.exe241⤵PID:1640
-
\??\c:\ttbnhn.exec:\ttbnhn.exe242⤵PID:2488