Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 02:20
Behavioral task
behavioral1
Sample
249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe
-
Size
211KB
-
MD5
249c95da8259543fa1fcf705fcd1bbb0
-
SHA1
d2a1d53996bf02d06c0f4aff5b58739b0d2c47a4
-
SHA256
285e498eb387dfbdc32ea83f4c2530545be94277522b4c37030cd330b73c25e6
-
SHA512
64e041c0c2f3b71f8b5ce797348eae6039105590d12091f7d692c17be3d93f2bc2737bc42fa02eabc84cdaaa407d6364821fe1214f702dc7dc1368484b632b6f
-
SSDEEP
6144:Hcm4FmowdHoSrXZf8l/ubPzYNLPf4t+lg:V4wFHoSBK/ubLcfC
Malware Config
Signatures
-
Detect Blackmoon payload 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1664-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2420-26-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2840-30-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2636-45-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2640-54-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2456-65-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2472-74-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2560-83-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2500-86-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3016-101-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1900-109-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2832-119-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1948-121-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2516-139-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/848-157-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1652-172-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2128-175-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1712-190-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1164-214-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/852-234-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1620-248-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2360-275-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3036-286-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2844-300-0x0000000077920000-0x0000000077A1A000-memory.dmp family_blackmoon behavioral1/memory/2844-299-0x0000000077800000-0x000000007791F000-memory.dmp family_blackmoon behavioral1/memory/2680-313-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2460-374-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3016-394-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1328-420-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/688-485-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1456-515-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2268-820-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/904-1103-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\nhbhtt.exe family_berbew behavioral1/memory/1664-9-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\lfxfxfx.exe family_berbew behavioral1/memory/1664-17-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\nhhbhn.exe family_berbew behavioral1/memory/2420-26-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2840-30-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\pdjvp.exe family_berbew C:\lxfflll.exe family_berbew behavioral1/memory/2636-45-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2640-46-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2640-54-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\bthntn.exe family_berbew behavioral1/memory/2456-56-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\vpdjv.exe family_berbew behavioral1/memory/2456-65-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2472-74-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\lfrlxfl.exe family_berbew behavioral1/memory/2560-83-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2500-86-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew \??\c:\hbhhbb.exe family_berbew C:\bttbnn.exe family_berbew behavioral1/memory/3016-93-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\ddjdj.exe family_berbew behavioral1/memory/3016-101-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\xxrlxxl.exe family_berbew behavioral1/memory/1900-109-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\hhbnhn.exe family_berbew behavioral1/memory/2832-119-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/1948-121-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\vdddp.exe family_berbew behavioral1/memory/1480-129-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\ddpvj.exe family_berbew behavioral1/memory/2516-139-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\xrrflrl.exe family_berbew C:\hbtnbh.exe family_berbew behavioral1/memory/848-157-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\9jvjv.exe family_berbew C:\fxrrfrx.exe family_berbew behavioral1/memory/1652-172-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2128-175-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\lfllxlf.exe family_berbew C:\bhtnth.exe family_berbew behavioral1/memory/1712-190-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\dvjjp.exe family_berbew C:\3llrxxf.exe family_berbew behavioral1/memory/1164-214-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\3tbbhb.exe family_berbew C:\jjdjp.exe family_berbew C:\xrrfrxl.exe family_berbew C:\xxrxffr.exe family_berbew behavioral1/memory/852-234-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\7nbbbh.exe family_berbew behavioral1/memory/1620-248-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\9pjjj.exe family_berbew C:\llrfxlr.exe family_berbew behavioral1/memory/2360-266-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2360-275-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew C:\thtthn.exe family_berbew C:\vvjpd.exe family_berbew behavioral1/memory/3036-286-0x0000000000400000-0x0000000000434000-memory.dmp family_berbew behavioral1/memory/2844-300-0x0000000077920000-0x0000000077A1A000-memory.dmp family_berbew behavioral1/memory/2844-299-0x0000000077800000-0x000000007791F000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
nhbhtt.exelfxfxfx.exenhhbhn.exepdjvp.exelxfflll.exebthntn.exevpdjv.exelfrlxfl.exehbhhbb.exebttbnn.exeddjdj.exexxrlxxl.exehhbnhn.exevdddp.exeddpvj.exexrrflrl.exehbtnbh.exe9jvjv.exefxrrfrx.exelfllxlf.exebhtnth.exedvjjp.exe3llrxxf.exe3tbbhb.exejjdjp.exexrrfrxl.exexxrxffr.exe7nbbbh.exe9pjjj.exellrfxlr.exethtthn.exevvjpd.exentnnbt.exehbhtbb.exevppdd.exerllxllx.exellxfxfx.exentnntb.exedvvvp.exepjvdd.exexrlxfrl.exelxxrxff.exe3tbhhn.exevjjjj.exe7djdj.exexlxxffl.exe1tbthh.exedvddd.exedpdjj.exelfrxrrf.exe1xlfrrf.exenntnnn.exenhbbbh.exevjpvj.exe7lrrrxf.exefxflrxf.exebnbntb.exe5nbnnh.exedvvdj.exedvjdj.exelfxflxr.exe1rffrll.exe5bhbhb.exevjjdv.exepid process 1664 nhbhtt.exe 2420 lfxfxfx.exe 2840 nhhbhn.exe 2636 pdjvp.exe 2640 lxfflll.exe 2456 bthntn.exe 2472 vpdjv.exe 2560 lfrlxfl.exe 2500 hbhhbb.exe 3016 bttbnn.exe 1900 ddjdj.exe 2832 xxrlxxl.exe 1948 hhbnhn.exe 1480 vdddp.exe 2516 ddpvj.exe 2828 xrrflrl.exe 848 hbtnbh.exe 1652 9jvjv.exe 2128 fxrrfrx.exe 1712 lfllxlf.exe 812 bhtnth.exe 2792 dvjjp.exe 1164 3llrxxf.exe 584 3tbbhb.exe 1040 jjdjp.exe 852 xrrfrxl.exe 1620 xxrxffr.exe 3048 7nbbbh.exe 1076 9pjjj.exe 2360 llrfxlr.exe 2364 thtthn.exe 3036 vvjpd.exe 2196 ntnnbt.exe 2844 hbhtbb.exe 2896 vppdd.exe 2680 rllxllx.exe 2260 llxfxfx.exe 2116 ntnntb.exe 2656 dvvvp.exe 2604 pjvdd.exe 2632 xrlxfrl.exe 2608 lxxrxff.exe 2476 3tbhhn.exe 2612 vjjjj.exe 2452 7djdj.exe 2460 xlxxffl.exe 3068 1tbthh.exe 2948 dvddd.exe 3016 dpdjj.exe 1084 lfrxrrf.exe 2732 1xlfrrf.exe 1948 nntnnn.exe 1328 nhbbbh.exe 2768 vjpvj.exe 2548 7lrrrxf.exe 1988 fxflrxf.exe 1668 bnbntb.exe 1824 5nbnnh.exe 2404 dvvdj.exe 2236 dvjdj.exe 2016 lfxflxr.exe 1684 1rffrll.exe 688 5bhbhb.exe 1644 vjjdv.exe -
Processes:
resource yara_rule behavioral1/memory/2372-0-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\nhbhtt.exe upx behavioral1/memory/1664-9-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lfxfxfx.exe upx behavioral1/memory/1664-17-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\nhhbhn.exe upx behavioral1/memory/2420-26-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2840-30-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\pdjvp.exe upx C:\lxfflll.exe upx behavioral1/memory/2636-45-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2640-46-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2640-54-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bthntn.exe upx behavioral1/memory/2456-56-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\vpdjv.exe upx behavioral1/memory/2456-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2472-74-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lfrlxfl.exe upx behavioral1/memory/2560-83-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2500-86-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\hbhhbb.exe upx C:\bttbnn.exe upx behavioral1/memory/3016-93-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ddjdj.exe upx behavioral1/memory/3016-101-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\xxrlxxl.exe upx behavioral1/memory/1900-109-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\hhbnhn.exe upx behavioral1/memory/2832-119-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1948-121-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\vdddp.exe upx behavioral1/memory/1480-129-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\ddpvj.exe upx behavioral1/memory/2516-139-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\xrrflrl.exe upx C:\hbtnbh.exe upx behavioral1/memory/848-157-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\9jvjv.exe upx C:\fxrrfrx.exe upx behavioral1/memory/1652-172-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2128-175-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\lfllxlf.exe upx C:\bhtnth.exe upx behavioral1/memory/1712-190-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\dvjjp.exe upx C:\3llrxxf.exe upx behavioral1/memory/1164-214-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\3tbbhb.exe upx C:\jjdjp.exe upx C:\xrrfrxl.exe upx C:\xxrxffr.exe upx behavioral1/memory/852-234-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\7nbbbh.exe upx behavioral1/memory/1620-248-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\9pjjj.exe upx C:\llrfxlr.exe upx behavioral1/memory/2360-266-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2360-275-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\thtthn.exe upx C:\vvjpd.exe upx behavioral1/memory/3036-286-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2844-299-0x0000000077800000-0x000000007791F000-memory.dmp upx behavioral1/memory/2680-313-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exenhbhtt.exelfxfxfx.exenhhbhn.exepdjvp.exelxfflll.exebthntn.exevpdjv.exelfrlxfl.exehbhhbb.exebttbnn.exeddjdj.exexxrlxxl.exehhbnhn.exevdddp.exeddpvj.exedescription pid process target process PID 2372 wrote to memory of 1664 2372 249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe nhbhtt.exe PID 2372 wrote to memory of 1664 2372 249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe nhbhtt.exe PID 2372 wrote to memory of 1664 2372 249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe nhbhtt.exe PID 2372 wrote to memory of 1664 2372 249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe nhbhtt.exe PID 1664 wrote to memory of 2420 1664 nhbhtt.exe lfxfxfx.exe PID 1664 wrote to memory of 2420 1664 nhbhtt.exe lfxfxfx.exe PID 1664 wrote to memory of 2420 1664 nhbhtt.exe lfxfxfx.exe PID 1664 wrote to memory of 2420 1664 nhbhtt.exe lfxfxfx.exe PID 2420 wrote to memory of 2840 2420 lfxfxfx.exe nhhbhn.exe PID 2420 wrote to memory of 2840 2420 lfxfxfx.exe nhhbhn.exe PID 2420 wrote to memory of 2840 2420 lfxfxfx.exe nhhbhn.exe PID 2420 wrote to memory of 2840 2420 lfxfxfx.exe nhhbhn.exe PID 2840 wrote to memory of 2636 2840 nhhbhn.exe pdjvp.exe PID 2840 wrote to memory of 2636 2840 nhhbhn.exe pdjvp.exe PID 2840 wrote to memory of 2636 2840 nhhbhn.exe pdjvp.exe PID 2840 wrote to memory of 2636 2840 nhhbhn.exe pdjvp.exe PID 2636 wrote to memory of 2640 2636 pdjvp.exe lxfflll.exe PID 2636 wrote to memory of 2640 2636 pdjvp.exe lxfflll.exe PID 2636 wrote to memory of 2640 2636 pdjvp.exe lxfflll.exe PID 2636 wrote to memory of 2640 2636 pdjvp.exe lxfflll.exe PID 2640 wrote to memory of 2456 2640 lxfflll.exe bthntn.exe PID 2640 wrote to memory of 2456 2640 lxfflll.exe bthntn.exe PID 2640 wrote to memory of 2456 2640 lxfflll.exe bthntn.exe PID 2640 wrote to memory of 2456 2640 lxfflll.exe bthntn.exe PID 2456 wrote to memory of 2472 2456 bthntn.exe vpdjv.exe PID 2456 wrote to memory of 2472 2456 bthntn.exe vpdjv.exe PID 2456 wrote to memory of 2472 2456 bthntn.exe vpdjv.exe PID 2456 wrote to memory of 2472 2456 bthntn.exe vpdjv.exe PID 2472 wrote to memory of 2560 2472 vpdjv.exe lfrlxfl.exe PID 2472 wrote to memory of 2560 2472 vpdjv.exe lfrlxfl.exe PID 2472 wrote to memory of 2560 2472 vpdjv.exe lfrlxfl.exe PID 2472 wrote to memory of 2560 2472 vpdjv.exe lfrlxfl.exe PID 2560 wrote to memory of 2500 2560 lfrlxfl.exe hbhhbb.exe PID 2560 wrote to memory of 2500 2560 lfrlxfl.exe hbhhbb.exe PID 2560 wrote to memory of 2500 2560 lfrlxfl.exe hbhhbb.exe PID 2560 wrote to memory of 2500 2560 lfrlxfl.exe hbhhbb.exe PID 2500 wrote to memory of 3016 2500 hbhhbb.exe bttbnn.exe PID 2500 wrote to memory of 3016 2500 hbhhbb.exe bttbnn.exe PID 2500 wrote to memory of 3016 2500 hbhhbb.exe bttbnn.exe PID 2500 wrote to memory of 3016 2500 hbhhbb.exe bttbnn.exe PID 3016 wrote to memory of 1900 3016 bttbnn.exe ddjdj.exe PID 3016 wrote to memory of 1900 3016 bttbnn.exe ddjdj.exe PID 3016 wrote to memory of 1900 3016 bttbnn.exe ddjdj.exe PID 3016 wrote to memory of 1900 3016 bttbnn.exe ddjdj.exe PID 1900 wrote to memory of 2832 1900 ddjdj.exe xxrlxxl.exe PID 1900 wrote to memory of 2832 1900 ddjdj.exe xxrlxxl.exe PID 1900 wrote to memory of 2832 1900 ddjdj.exe xxrlxxl.exe PID 1900 wrote to memory of 2832 1900 ddjdj.exe xxrlxxl.exe PID 2832 wrote to memory of 1948 2832 xxrlxxl.exe hhbnhn.exe PID 2832 wrote to memory of 1948 2832 xxrlxxl.exe hhbnhn.exe PID 2832 wrote to memory of 1948 2832 xxrlxxl.exe hhbnhn.exe PID 2832 wrote to memory of 1948 2832 xxrlxxl.exe hhbnhn.exe PID 1948 wrote to memory of 1480 1948 hhbnhn.exe vdddp.exe PID 1948 wrote to memory of 1480 1948 hhbnhn.exe vdddp.exe PID 1948 wrote to memory of 1480 1948 hhbnhn.exe vdddp.exe PID 1948 wrote to memory of 1480 1948 hhbnhn.exe vdddp.exe PID 1480 wrote to memory of 2516 1480 vdddp.exe ddpvj.exe PID 1480 wrote to memory of 2516 1480 vdddp.exe ddpvj.exe PID 1480 wrote to memory of 2516 1480 vdddp.exe ddpvj.exe PID 1480 wrote to memory of 2516 1480 vdddp.exe ddpvj.exe PID 2516 wrote to memory of 2828 2516 ddpvj.exe xrrflrl.exe PID 2516 wrote to memory of 2828 2516 ddpvj.exe xrrflrl.exe PID 2516 wrote to memory of 2828 2516 ddpvj.exe xrrflrl.exe PID 2516 wrote to memory of 2828 2516 ddpvj.exe xrrflrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\249c95da8259543fa1fcf705fcd1bbb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\nhbhtt.exec:\nhbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\nhhbhn.exec:\nhhbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\pdjvp.exec:\pdjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\lxfflll.exec:\lxfflll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\bthntn.exec:\bthntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vpdjv.exec:\vpdjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\lfrlxfl.exec:\lfrlxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\hbhhbb.exec:\hbhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\bttbnn.exec:\bttbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\ddjdj.exec:\ddjdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\xxrlxxl.exec:\xxrlxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\hhbnhn.exec:\hhbnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\vdddp.exec:\vdddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\ddpvj.exec:\ddpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\xrrflrl.exec:\xrrflrl.exe17⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hbtnbh.exec:\hbtnbh.exe18⤵
- Executes dropped EXE
PID:848 -
\??\c:\9jvjv.exec:\9jvjv.exe19⤵
- Executes dropped EXE
PID:1652 -
\??\c:\fxrrfrx.exec:\fxrrfrx.exe20⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lfllxlf.exec:\lfllxlf.exe21⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bhtnth.exec:\bhtnth.exe22⤵
- Executes dropped EXE
PID:812 -
\??\c:\dvjjp.exec:\dvjjp.exe23⤵
- Executes dropped EXE
PID:2792 -
\??\c:\3llrxxf.exec:\3llrxxf.exe24⤵
- Executes dropped EXE
PID:1164 -
\??\c:\3tbbhb.exec:\3tbbhb.exe25⤵
- Executes dropped EXE
PID:584 -
\??\c:\jjdjp.exec:\jjdjp.exe26⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xrrfrxl.exec:\xrrfrxl.exe27⤵
- Executes dropped EXE
PID:852 -
\??\c:\xxrxffr.exec:\xxrxffr.exe28⤵
- Executes dropped EXE
PID:1620 -
\??\c:\7nbbbh.exec:\7nbbbh.exe29⤵
- Executes dropped EXE
PID:3048 -
\??\c:\9pjjj.exec:\9pjjj.exe30⤵
- Executes dropped EXE
PID:1076 -
\??\c:\llrfxlr.exec:\llrfxlr.exe31⤵
- Executes dropped EXE
PID:2360 -
\??\c:\thtthn.exec:\thtthn.exe32⤵
- Executes dropped EXE
PID:2364 -
\??\c:\vvjpd.exec:\vvjpd.exe33⤵
- Executes dropped EXE
PID:3036 -
\??\c:\ntnnbt.exec:\ntnnbt.exe34⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hbhtbb.exec:\hbhtbb.exe35⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5jddv.exec:\5jddv.exe36⤵PID:1608
-
\??\c:\vppdd.exec:\vppdd.exe37⤵
- Executes dropped EXE
PID:2896 -
\??\c:\rllxllx.exec:\rllxllx.exe38⤵
- Executes dropped EXE
PID:2680 -
\??\c:\llxfxfx.exec:\llxfxfx.exe39⤵
- Executes dropped EXE
PID:2260 -
\??\c:\ntnntb.exec:\ntnntb.exe40⤵
- Executes dropped EXE
PID:2116 -
\??\c:\dvvvp.exec:\dvvvp.exe41⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pjvdd.exec:\pjvdd.exe42⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xrlxfrl.exec:\xrlxfrl.exe43⤵
- Executes dropped EXE
PID:2632 -
\??\c:\lxxrxff.exec:\lxxrxff.exe44⤵
- Executes dropped EXE
PID:2608 -
\??\c:\3tbhhn.exec:\3tbhhn.exe45⤵
- Executes dropped EXE
PID:2476 -
\??\c:\vjjjj.exec:\vjjjj.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\7djdj.exec:\7djdj.exe47⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xlxxffl.exec:\xlxxffl.exe48⤵
- Executes dropped EXE
PID:2460 -
\??\c:\1tbthh.exec:\1tbthh.exe49⤵
- Executes dropped EXE
PID:3068 -
\??\c:\dvddd.exec:\dvddd.exe50⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dpdjj.exec:\dpdjj.exe51⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lfrxrrf.exec:\lfrxrrf.exe52⤵
- Executes dropped EXE
PID:1084 -
\??\c:\1xlfrrf.exec:\1xlfrrf.exe53⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nntnnn.exec:\nntnnn.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\nhbbbh.exec:\nhbbbh.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\vjpvj.exec:\vjpvj.exe56⤵
- Executes dropped EXE
PID:2768 -
\??\c:\7lrrrxf.exec:\7lrrrxf.exe57⤵
- Executes dropped EXE
PID:2548 -
\??\c:\fxflrxf.exec:\fxflrxf.exe58⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bnbntb.exec:\bnbntb.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\5nbnnh.exec:\5nbnnh.exe60⤵
- Executes dropped EXE
PID:1824 -
\??\c:\dvvdj.exec:\dvvdj.exe61⤵
- Executes dropped EXE
PID:2404 -
\??\c:\dvjdj.exec:\dvjdj.exe62⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lfxflxr.exec:\lfxflxr.exe63⤵
- Executes dropped EXE
PID:2016 -
\??\c:\1rffrll.exec:\1rffrll.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5bhbhb.exec:\5bhbhb.exe65⤵
- Executes dropped EXE
PID:688 -
\??\c:\vjjdv.exec:\vjjdv.exe66⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vpvvd.exec:\vpvvd.exe67⤵PID:1164
-
\??\c:\rffrrfr.exec:\rffrrfr.exe68⤵PID:952
-
\??\c:\fxlrrlr.exec:\fxlrrlr.exe69⤵PID:1456
-
\??\c:\btttbn.exec:\btttbn.exe70⤵PID:1648
-
\??\c:\dppvv.exec:\dppvv.exe71⤵PID:1416
-
\??\c:\5jjdp.exec:\5jjdp.exe72⤵PID:884
-
\??\c:\1rfrrfl.exec:\1rfrrfl.exe73⤵PID:1152
-
\??\c:\rlrxllr.exec:\rlrxllr.exe74⤵PID:704
-
\??\c:\nbhhnt.exec:\nbhhnt.exe75⤵PID:588
-
\??\c:\jjpdp.exec:\jjpdp.exe76⤵PID:564
-
\??\c:\vdjdd.exec:\vdjdd.exe77⤵PID:764
-
\??\c:\5rlrlrr.exec:\5rlrlrr.exe78⤵PID:1588
-
\??\c:\5llffff.exec:\5llffff.exe79⤵PID:2192
-
\??\c:\nbhttn.exec:\nbhttn.exe80⤵PID:1680
-
\??\c:\thtnbb.exec:\thtnbb.exe81⤵PID:3056
-
\??\c:\3jjpd.exec:\3jjpd.exe82⤵PID:1184
-
\??\c:\ddjvv.exec:\ddjvv.exe83⤵PID:2980
-
\??\c:\fxrfflx.exec:\fxrfflx.exe84⤵PID:2836
-
\??\c:\1ntbhb.exec:\1ntbhb.exe85⤵PID:2552
-
\??\c:\nbhhbb.exec:\nbhhbb.exe86⤵PID:2596
-
\??\c:\jvjdd.exec:\jvjdd.exe87⤵PID:2588
-
\??\c:\pdjpj.exec:\pdjpj.exe88⤵PID:2848
-
\??\c:\lxlllfl.exec:\lxlllfl.exe89⤵PID:2456
-
\??\c:\frxxxrr.exec:\frxxxrr.exe90⤵PID:2800
-
\??\c:\nbbnnn.exec:\nbbnnn.exe91⤵PID:2448
-
\??\c:\3pvvp.exec:\3pvvp.exe92⤵PID:2560
-
\??\c:\7jjjj.exec:\7jjjj.exe93⤵PID:2940
-
\??\c:\lxfllrx.exec:\lxfllrx.exe94⤵PID:2772
-
\??\c:\xrxlfll.exec:\xrxlfll.exe95⤵PID:320
-
\??\c:\7hhhhb.exec:\7hhhhb.exe96⤵PID:2924
-
\??\c:\nnntht.exec:\nnntht.exe97⤵PID:1348
-
\??\c:\ddjjp.exec:\ddjjp.exe98⤵PID:1928
-
\??\c:\jjvvd.exec:\jjvvd.exe99⤵PID:1272
-
\??\c:\9lfflfl.exec:\9lfflfl.exe100⤵PID:1276
-
\??\c:\7hhttn.exec:\7hhttn.exe101⤵PID:1480
-
\??\c:\nbtntt.exec:\nbtntt.exe102⤵PID:2000
-
\??\c:\dvdjj.exec:\dvdjj.exe103⤵PID:2780
-
\??\c:\pjjjv.exec:\pjjjv.exe104⤵PID:2952
-
\??\c:\ffrxrfl.exec:\ffrxrfl.exe105⤵PID:1616
-
\??\c:\frlxfff.exec:\frlxfff.exe106⤵PID:2256
-
\??\c:\nhnntt.exec:\nhnntt.exe107⤵PID:2076
-
\??\c:\1nnnbb.exec:\1nnnbb.exe108⤵PID:2052
-
\??\c:\dvpdj.exec:\dvpdj.exe109⤵PID:2132
-
\??\c:\xlxfffx.exec:\xlxfffx.exe110⤵PID:1216
-
\??\c:\xrxxffl.exec:\xrxxffl.exe111⤵PID:488
-
\??\c:\nbtntn.exec:\nbtntn.exe112⤵PID:1472
-
\??\c:\3pjdj.exec:\3pjdj.exe113⤵PID:1172
-
\??\c:\djpjp.exec:\djpjp.exe114⤵PID:1816
-
\??\c:\1xlrfll.exec:\1xlrfll.exe115⤵PID:1556
-
\??\c:\lxlrxrf.exec:\lxlrxrf.exe116⤵PID:1228
-
\??\c:\tnbhbh.exec:\tnbhbh.exe117⤵PID:960
-
\??\c:\3tttnn.exec:\3tttnn.exe118⤵PID:2268
-
\??\c:\jjdvd.exec:\jjdvd.exe119⤵PID:2220
-
\??\c:\pvjpj.exec:\pvjpj.exe120⤵PID:1016
-
\??\c:\9xlxffl.exec:\9xlxffl.exe121⤵PID:892
-
\??\c:\9fxxfxf.exec:\9fxxfxf.exe122⤵PID:1752
-
\??\c:\hbnbtb.exec:\hbnbtb.exe123⤵PID:2392
-
\??\c:\5hnhhh.exec:\5hnhhh.exe124⤵PID:936
-
\??\c:\1pdvv.exec:\1pdvv.exe125⤵PID:2844
-
\??\c:\jpvvv.exec:\jpvvv.exe126⤵PID:2904
-
\??\c:\flxfrrx.exec:\flxfrrx.exe127⤵PID:2900
-
\??\c:\rflllll.exec:\rflllll.exe128⤵PID:1704
-
\??\c:\tnbtbb.exec:\tnbtbb.exe129⤵PID:2540
-
\??\c:\nbbtbb.exec:\nbbtbb.exe130⤵PID:2652
-
\??\c:\djpdd.exec:\djpdd.exe131⤵PID:2552
-
\??\c:\dpddv.exec:\dpddv.exe132⤵PID:2864
-
\??\c:\ffrrlll.exec:\ffrrlll.exe133⤵PID:2588
-
\??\c:\9htnnb.exec:\9htnnb.exe134⤵PID:2584
-
\??\c:\9tbtbt.exec:\9tbtbt.exe135⤵PID:2564
-
\??\c:\1pvdv.exec:\1pvdv.exe136⤵PID:2520
-
\??\c:\pvddd.exec:\pvddd.exe137⤵PID:2452
-
\??\c:\jvdvp.exec:\jvdvp.exe138⤵PID:2120
-
\??\c:\lxlllll.exec:\lxlllll.exe139⤵PID:1784
-
\??\c:\rflfrxx.exec:\rflfrxx.exe140⤵PID:1520
-
\??\c:\htbnhb.exec:\htbnhb.exe141⤵PID:320
-
\??\c:\hthhnt.exec:\hthhnt.exe142⤵PID:2924
-
\??\c:\5vdvv.exec:\5vdvv.exe143⤵PID:2832
-
\??\c:\3jjdj.exec:\3jjdj.exe144⤵PID:2436
-
\??\c:\xrxfrlr.exec:\xrxfrlr.exe145⤵PID:1320
-
\??\c:\xflflll.exec:\xflflll.exe146⤵PID:2796
-
\??\c:\hthbhh.exec:\hthbhh.exe147⤵PID:2536
-
\??\c:\nbntbb.exec:\nbntbb.exe148⤵PID:1392
-
\??\c:\dppdd.exec:\dppdd.exe149⤵PID:2780
-
\??\c:\jvvvd.exec:\jvvvd.exe150⤵PID:1204
-
\??\c:\3rffxrx.exec:\3rffxrx.exe151⤵PID:1668
-
\??\c:\lxlllxf.exec:\lxlllxf.exe152⤵PID:1972
-
\??\c:\nbhhbh.exec:\nbhhbh.exe153⤵PID:1864
-
\??\c:\hbtnht.exec:\hbtnht.exe154⤵PID:932
-
\??\c:\dpdvj.exec:\dpdvj.exe155⤵PID:1732
-
\??\c:\dvjjj.exec:\dvjjj.exe156⤵PID:1216
-
\??\c:\fllxxrl.exec:\fllxxrl.exe157⤵PID:1020
-
\??\c:\frfxrll.exec:\frfxrll.exe158⤵PID:1444
-
\??\c:\nttnhb.exec:\nttnhb.exe159⤵PID:1792
-
\??\c:\7hhhbn.exec:\7hhhbn.exe160⤵PID:584
-
\??\c:\dpppp.exec:\dpppp.exe161⤵PID:1212
-
\??\c:\dpddd.exec:\dpddd.exe162⤵PID:1160
-
\??\c:\fxxrrlr.exec:\fxxrrlr.exe163⤵PID:2376
-
\??\c:\xllflrr.exec:\xllflrr.exe164⤵PID:904
-
\??\c:\nbhhbb.exec:\nbhhbb.exe165⤵PID:2028
-
\??\c:\9bhnnn.exec:\9bhnnn.exe166⤵PID:2096
-
\??\c:\7dppp.exec:\7dppp.exe167⤵PID:2364
-
\??\c:\7vvjd.exec:\7vvjd.exe168⤵PID:956
-
\??\c:\lxlflrf.exec:\lxlflrf.exe169⤵PID:2196
-
\??\c:\lxxrrll.exec:\lxxrrll.exe170⤵PID:2528
-
\??\c:\nbbbhh.exec:\nbbbhh.exe171⤵PID:1604
-
\??\c:\httbbb.exec:\httbbb.exe172⤵PID:2976
-
\??\c:\vppjp.exec:\vppjp.exe173⤵PID:2532
-
\??\c:\7pddd.exec:\7pddd.exe174⤵PID:2680
-
\??\c:\9fllffr.exec:\9fllffr.exe175⤵PID:2776
-
\??\c:\rffxrrr.exec:\rffxrrr.exe176⤵PID:2720
-
\??\c:\1btbbb.exec:\1btbbb.exe177⤵PID:2640
-
\??\c:\nbtnnh.exec:\nbtnnh.exe178⤵PID:2088
-
\??\c:\7ntbbt.exec:\7ntbbt.exe179⤵PID:2608
-
\??\c:\jvjjd.exec:\jvjjd.exe180⤵PID:2472
-
\??\c:\fxllrlx.exec:\fxllrlx.exe181⤵PID:2612
-
\??\c:\xlrlffl.exec:\xlrlffl.exe182⤵PID:2620
-
\??\c:\hbthbn.exec:\hbthbn.exe183⤵PID:2512
-
\??\c:\tntnbb.exec:\tntnbb.exe184⤵PID:2468
-
\??\c:\pvjdd.exec:\pvjdd.exe185⤵PID:2120
-
\??\c:\jvpjp.exec:\jvpjp.exe186⤵PID:2812
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe187⤵PID:1584
-
\??\c:\xlllrfl.exec:\xlllrfl.exe188⤵PID:1596
-
\??\c:\htbtnh.exec:\htbtnh.exe189⤵PID:2924
-
\??\c:\vjppj.exec:\vjppj.exe190⤵PID:2624
-
\??\c:\dvjjj.exec:\dvjjj.exe191⤵PID:2756
-
\??\c:\1lxxxxx.exec:\1lxxxxx.exe192⤵PID:1276
-
\??\c:\bnbbhb.exec:\bnbbhb.exe193⤵PID:2724
-
\??\c:\thnnbh.exec:\thnnbh.exe194⤵PID:1180
-
\??\c:\hnnnhb.exec:\hnnnhb.exe195⤵PID:2264
-
\??\c:\dpdvd.exec:\dpdvd.exe196⤵PID:2936
-
\??\c:\1ppvv.exec:\1ppvv.exe197⤵PID:2128
-
\??\c:\lrllrfl.exec:\lrllrfl.exe198⤵PID:1880
-
\??\c:\5xllrrr.exec:\5xllrrr.exe199⤵PID:2244
-
\??\c:\3llrrxr.exec:\3llrrxr.exe200⤵PID:1452
-
\??\c:\1bbbbn.exec:\1bbbbn.exe201⤵PID:1684
-
\??\c:\htnhnb.exec:\htnhnb.exe202⤵PID:2072
-
\??\c:\9pvpp.exec:\9pvpp.exe203⤵PID:1164
-
\??\c:\7jpjd.exec:\7jpjd.exe204⤵PID:952
-
\??\c:\rlfflfl.exec:\rlfflfl.exe205⤵PID:1140
-
\??\c:\1rxxrff.exec:\1rxxrff.exe206⤵PID:1112
-
\??\c:\nhbhnh.exec:\nhbhnh.exe207⤵PID:1816
-
\??\c:\thhhbb.exec:\thhhbb.exe208⤵PID:884
-
\??\c:\jvvpp.exec:\jvvpp.exe209⤵PID:1232
-
\??\c:\jvddj.exec:\jvddj.exe210⤵PID:2376
-
\??\c:\rfllffl.exec:\rfllffl.exe211⤵PID:904
-
\??\c:\rlrrxxx.exec:\rlrrxxx.exe212⤵PID:1532
-
\??\c:\thnhht.exec:\thnhht.exe213⤵PID:2868
-
\??\c:\1tbbht.exec:\1tbbht.exe214⤵PID:2364
-
\??\c:\jvjjj.exec:\jvjjj.exe215⤵PID:2200
-
\??\c:\dpvvv.exec:\dpvvv.exe216⤵PID:1680
-
\??\c:\frxxrrr.exec:\frxxrrr.exe217⤵PID:1600
-
\??\c:\5xrxflr.exec:\5xrxflr.exe218⤵PID:2904
-
\??\c:\9bttbh.exec:\9bttbh.exe219⤵PID:2628
-
\??\c:\3bttnt.exec:\3bttnt.exe220⤵PID:1736
-
\??\c:\pddpj.exec:\pddpj.exe221⤵PID:1704
-
\??\c:\jvjvv.exec:\jvjvv.exe222⤵PID:2664
-
\??\c:\xllllxl.exec:\xllllxl.exe223⤵PID:2696
-
\??\c:\7fxflrf.exec:\7fxflrf.exe224⤵PID:2712
-
\??\c:\hbnhnh.exec:\hbnhnh.exe225⤵PID:2752
-
\??\c:\tntntb.exec:\tntntb.exe226⤵PID:2748
-
\??\c:\jdjjj.exec:\jdjjj.exe227⤵PID:2472
-
\??\c:\jvddp.exec:\jvddp.exe228⤵PID:2612
-
\??\c:\7xrrrlx.exec:\7xrrrlx.exe229⤵PID:2620
-
\??\c:\rrlxflr.exec:\rrlxflr.exe230⤵PID:1428
-
\??\c:\bntbhb.exec:\bntbhb.exe231⤵PID:1940
-
\??\c:\3vjjj.exec:\3vjjj.exe232⤵PID:2940
-
\??\c:\7jpjd.exec:\7jpjd.exe233⤵PID:2964
-
\??\c:\rffffff.exec:\rffffff.exe234⤵PID:2176
-
\??\c:\lxllfxx.exec:\lxllfxx.exe235⤵PID:2508
-
\??\c:\nhthht.exec:\nhthht.exe236⤵PID:1948
-
\??\c:\nbbtnh.exec:\nbbtnh.exe237⤵PID:1484
-
\??\c:\9jvjd.exec:\9jvjd.exe238⤵PID:1912
-
\??\c:\jvdjj.exec:\jvdjj.exe239⤵PID:2768
-
\??\c:\xfrrxrx.exec:\xfrrxrx.exe240⤵PID:2336
-
\??\c:\lrfffxr.exec:\lrfffxr.exe241⤵PID:3040
-
\??\c:\hthbhh.exec:\hthbhh.exe242⤵PID:1808