Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:20
Behavioral task
behavioral1
Sample
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe
-
Size
106KB
-
MD5
a1b174eee27b1da19240e54c5199d2f0
-
SHA1
38fa52f8d87214333eeb2a41fb485a1bef431919
-
SHA256
a31242815ff470c5578bf6e79a2ffcce619e2d51a8da457e6b2e8425107724e2
-
SHA512
0abb76c1526a826091a1fed9dc3b7d1d2a65c81eaa4c5b517bb531e8f9b5b41a3424824e90f67c2af88fc847c7b52ada621a38042cf95dd0eeba8ab8fb677479
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66krop7BcgJ:kcm4FmowdHoSphraHcp7yw
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2552-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2404-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/856-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1236-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-629-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-741-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-1029-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-1059-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-1155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rrllffr.exenbnntn.exebhhhtt.exebbhhhh.exepjppj.exedvdvp.exerrllffx.exexrxrxxx.exehbbtnn.exepvjpv.exexffxllf.exelfffffl.exehtbbhh.exepdjvp.exellrrffx.exebntnbb.exe1jpjv.exefxlfxxr.exe7hnhhh.exepdvvp.exeflffxxf.exelxrrlrl.exe1hnhhh.exetnnhbh.exevjpdv.exehtbbnn.exe9vvvp.exerxrrfff.exelfrlxrr.exebttnnn.exedvdvj.exexrllfxr.exeflfffff.exebnnnhh.exehttnbt.exepvvpd.exerfllxrl.exelfxrlfx.exe1hnhhh.exehthnbn.exe7ppjd.exerflxrxr.exefrfrfxl.exenbtnhn.exerrxxlrx.exennnnhn.exebtbtbh.exejjddv.exe9pjjd.exefllffff.exetntnhh.exethbthh.exepddpj.exeddpjv.exe7rrrlff.exelrrlxxr.exe9ttnnn.exebntbnh.exedpppp.exellfrxfx.exerlxrffx.exettthhb.exejpjjd.exefxlfxxr.exepid process 3592 rrllffr.exe 3932 nbnntn.exe 4912 bhhhtt.exe 4728 bbhhhh.exe 3980 pjppj.exe 1836 dvdvp.exe 4092 rrllffx.exe 4116 xrxrxxx.exe 440 hbbtnn.exe 3220 pvjpv.exe 2160 xffxllf.exe 2116 lfffffl.exe 2236 htbbhh.exe 2112 pdjvp.exe 2404 llrrffx.exe 3152 bntnbb.exe 1080 1jpjv.exe 4032 fxlfxxr.exe 2132 7hnhhh.exe 3744 pdvvp.exe 908 flffxxf.exe 1904 lxrrlrl.exe 4520 1hnhhh.exe 5084 tnnhbh.exe 4748 vjpdv.exe 2516 htbbnn.exe 3684 9vvvp.exe 5040 rxrrfff.exe 336 lfrlxrr.exe 2604 bttnnn.exe 4236 dvdvj.exe 2632 xrllfxr.exe 4312 flfffff.exe 2192 bnnnhh.exe 4948 httnbt.exe 2028 pvvpd.exe 5064 rfllxrl.exe 4528 lfxrlfx.exe 628 1hnhhh.exe 828 hthnbn.exe 1568 7ppjd.exe 4972 rflxrxr.exe 1584 frfrfxl.exe 2696 nbtnhn.exe 2552 rrxxlrx.exe 4620 nnnnhn.exe 3932 btbtbh.exe 856 jjddv.exe 3960 9pjjd.exe 2540 fllffff.exe 3300 tntnhh.exe 4588 thbthh.exe 3544 pddpj.exe 996 ddpjv.exe 4116 7rrrlff.exe 1404 lrrlxxr.exe 4800 9ttnnn.exe 2592 bntbnh.exe 4984 dpppp.exe 4916 llfrxfx.exe 1036 rlxrffx.exe 4348 ttthhb.exe 4396 jpjjd.exe 2312 fxlfxxr.exe -
Processes:
resource yara_rule behavioral2/memory/2552-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrllffr.exe upx behavioral2/memory/2552-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3592-13-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nbnntn.exe upx C:\bhhhtt.exe upx behavioral2/memory/4912-18-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bbhhhh.exe upx \??\c:\pjppj.exe upx behavioral2/memory/3980-29-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvdvp.exe upx C:\rrllffx.exe upx behavioral2/memory/4092-41-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xrxrxxx.exe upx behavioral2/memory/4116-49-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hbbtnn.exe upx behavioral2/memory/1836-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4728-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/440-55-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pvjpv.exe upx behavioral2/memory/440-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3220-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3220-67-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lfffffl.exe upx behavioral2/memory/2160-70-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\htbbhh.exe upx behavioral2/memory/2236-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2116-75-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xffxllf.exe upx C:\pdjvp.exe upx C:\llrrffx.exe upx behavioral2/memory/2112-89-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bntnbb.exe upx behavioral2/memory/2404-96-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1jpjv.exe upx behavioral2/memory/3152-101-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\fxlfxxr.exe upx \??\c:\7hnhhh.exe upx behavioral2/memory/4032-112-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pdvvp.exe upx C:\flffxxf.exe upx C:\1hnhhh.exe upx behavioral2/memory/1904-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/908-129-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tnnhbh.exe upx C:\lxrrlrl.exe upx behavioral2/memory/5084-145-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vjpdv.exe upx C:\htbbnn.exe upx behavioral2/memory/4748-151-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9vvvp.exe upx behavioral2/memory/2516-157-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxrrfff.exe upx \??\c:\lfrlxrr.exe upx behavioral2/memory/5040-170-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bttnnn.exe upx behavioral2/memory/336-175-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvdvj.exe upx behavioral2/memory/4236-184-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xrllfxr.exe upx behavioral2/memory/2632-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4312-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2192-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-202-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exerrllffr.exenbnntn.exebhhhtt.exebbhhhh.exepjppj.exedvdvp.exerrllffx.exexrxrxxx.exehbbtnn.exepvjpv.exexffxllf.exelfffffl.exehtbbhh.exepdjvp.exellrrffx.exebntnbb.exe1jpjv.exefxlfxxr.exe7hnhhh.exepdvvp.exeflffxxf.exedescription pid process target process PID 2552 wrote to memory of 3592 2552 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe rrllffr.exe PID 2552 wrote to memory of 3592 2552 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe rrllffr.exe PID 2552 wrote to memory of 3592 2552 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe rrllffr.exe PID 3592 wrote to memory of 3932 3592 rrllffr.exe nbnntn.exe PID 3592 wrote to memory of 3932 3592 rrllffr.exe nbnntn.exe PID 3592 wrote to memory of 3932 3592 rrllffr.exe nbnntn.exe PID 3932 wrote to memory of 4912 3932 nbnntn.exe bhhhtt.exe PID 3932 wrote to memory of 4912 3932 nbnntn.exe bhhhtt.exe PID 3932 wrote to memory of 4912 3932 nbnntn.exe bhhhtt.exe PID 4912 wrote to memory of 4728 4912 bhhhtt.exe bbhhhh.exe PID 4912 wrote to memory of 4728 4912 bhhhtt.exe bbhhhh.exe PID 4912 wrote to memory of 4728 4912 bhhhtt.exe bbhhhh.exe PID 4728 wrote to memory of 3980 4728 bbhhhh.exe pjppj.exe PID 4728 wrote to memory of 3980 4728 bbhhhh.exe pjppj.exe PID 4728 wrote to memory of 3980 4728 bbhhhh.exe pjppj.exe PID 3980 wrote to memory of 1836 3980 pjppj.exe dvdvp.exe PID 3980 wrote to memory of 1836 3980 pjppj.exe dvdvp.exe PID 3980 wrote to memory of 1836 3980 pjppj.exe dvdvp.exe PID 1836 wrote to memory of 4092 1836 dvdvp.exe rrllffx.exe PID 1836 wrote to memory of 4092 1836 dvdvp.exe rrllffx.exe PID 1836 wrote to memory of 4092 1836 dvdvp.exe rrllffx.exe PID 4092 wrote to memory of 4116 4092 rrllffx.exe xrxrxxx.exe PID 4092 wrote to memory of 4116 4092 rrllffx.exe xrxrxxx.exe PID 4092 wrote to memory of 4116 4092 rrllffx.exe xrxrxxx.exe PID 4116 wrote to memory of 440 4116 xrxrxxx.exe hbbtnn.exe PID 4116 wrote to memory of 440 4116 xrxrxxx.exe hbbtnn.exe PID 4116 wrote to memory of 440 4116 xrxrxxx.exe hbbtnn.exe PID 440 wrote to memory of 3220 440 hbbtnn.exe pvjpv.exe PID 440 wrote to memory of 3220 440 hbbtnn.exe pvjpv.exe PID 440 wrote to memory of 3220 440 hbbtnn.exe pvjpv.exe PID 3220 wrote to memory of 2160 3220 pvjpv.exe xffxllf.exe PID 3220 wrote to memory of 2160 3220 pvjpv.exe xffxllf.exe PID 3220 wrote to memory of 2160 3220 pvjpv.exe xffxllf.exe PID 2160 wrote to memory of 2116 2160 xffxllf.exe lfffffl.exe PID 2160 wrote to memory of 2116 2160 xffxllf.exe lfffffl.exe PID 2160 wrote to memory of 2116 2160 xffxllf.exe lfffffl.exe PID 2116 wrote to memory of 2236 2116 lfffffl.exe htbbhh.exe PID 2116 wrote to memory of 2236 2116 lfffffl.exe htbbhh.exe PID 2116 wrote to memory of 2236 2116 lfffffl.exe htbbhh.exe PID 2236 wrote to memory of 2112 2236 htbbhh.exe pdjvp.exe PID 2236 wrote to memory of 2112 2236 htbbhh.exe pdjvp.exe PID 2236 wrote to memory of 2112 2236 htbbhh.exe pdjvp.exe PID 2112 wrote to memory of 2404 2112 pdjvp.exe llrrffx.exe PID 2112 wrote to memory of 2404 2112 pdjvp.exe llrrffx.exe PID 2112 wrote to memory of 2404 2112 pdjvp.exe llrrffx.exe PID 2404 wrote to memory of 3152 2404 llrrffx.exe bntnbb.exe PID 2404 wrote to memory of 3152 2404 llrrffx.exe bntnbb.exe PID 2404 wrote to memory of 3152 2404 llrrffx.exe bntnbb.exe PID 3152 wrote to memory of 1080 3152 bntnbb.exe 1jpjv.exe PID 3152 wrote to memory of 1080 3152 bntnbb.exe 1jpjv.exe PID 3152 wrote to memory of 1080 3152 bntnbb.exe 1jpjv.exe PID 1080 wrote to memory of 4032 1080 1jpjv.exe fxlfxxr.exe PID 1080 wrote to memory of 4032 1080 1jpjv.exe fxlfxxr.exe PID 1080 wrote to memory of 4032 1080 1jpjv.exe fxlfxxr.exe PID 4032 wrote to memory of 2132 4032 fxlfxxr.exe 7hnhhh.exe PID 4032 wrote to memory of 2132 4032 fxlfxxr.exe 7hnhhh.exe PID 4032 wrote to memory of 2132 4032 fxlfxxr.exe 7hnhhh.exe PID 2132 wrote to memory of 3744 2132 7hnhhh.exe pdvvp.exe PID 2132 wrote to memory of 3744 2132 7hnhhh.exe pdvvp.exe PID 2132 wrote to memory of 3744 2132 7hnhhh.exe pdvvp.exe PID 3744 wrote to memory of 908 3744 pdvvp.exe flffxxf.exe PID 3744 wrote to memory of 908 3744 pdvvp.exe flffxxf.exe PID 3744 wrote to memory of 908 3744 pdvvp.exe flffxxf.exe PID 908 wrote to memory of 1904 908 flffxxf.exe lxrrlrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\rrllffr.exec:\rrllffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\nbnntn.exec:\nbnntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\bhhhtt.exec:\bhhhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\bbhhhh.exec:\bbhhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\pjppj.exec:\pjppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\dvdvp.exec:\dvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\rrllffx.exec:\rrllffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\xrxrxxx.exec:\xrxrxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\hbbtnn.exec:\hbbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\pvjpv.exec:\pvjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\xffxllf.exec:\xffxllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\lfffffl.exec:\lfffffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\htbbhh.exec:\htbbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\pdjvp.exec:\pdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\llrrffx.exec:\llrrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\bntnbb.exec:\bntnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\1jpjv.exec:\1jpjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\7hnhhh.exec:\7hnhhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\pdvvp.exec:\pdvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\flffxxf.exec:\flffxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\lxrrlrl.exec:\lxrrlrl.exe23⤵
- Executes dropped EXE
PID:1904 -
\??\c:\1hnhhh.exec:\1hnhhh.exe24⤵
- Executes dropped EXE
PID:4520 -
\??\c:\tnnhbh.exec:\tnnhbh.exe25⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vjpdv.exec:\vjpdv.exe26⤵
- Executes dropped EXE
PID:4748 -
\??\c:\htbbnn.exec:\htbbnn.exe27⤵
- Executes dropped EXE
PID:2516 -
\??\c:\9vvvp.exec:\9vvvp.exe28⤵
- Executes dropped EXE
PID:3684 -
\??\c:\rxrrfff.exec:\rxrrfff.exe29⤵
- Executes dropped EXE
PID:5040 -
\??\c:\lfrlxrr.exec:\lfrlxrr.exe30⤵
- Executes dropped EXE
PID:336 -
\??\c:\bttnnn.exec:\bttnnn.exe31⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dvdvj.exec:\dvdvj.exe32⤵
- Executes dropped EXE
PID:4236 -
\??\c:\xrllfxr.exec:\xrllfxr.exe33⤵
- Executes dropped EXE
PID:2632 -
\??\c:\flfffff.exec:\flfffff.exe34⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bnnnhh.exec:\bnnnhh.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\httnbt.exec:\httnbt.exe36⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pvvpd.exec:\pvvpd.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\rfllxrl.exec:\rfllxrl.exe38⤵
- Executes dropped EXE
PID:5064 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe39⤵
- Executes dropped EXE
PID:4528 -
\??\c:\1hnhhh.exec:\1hnhhh.exe40⤵
- Executes dropped EXE
PID:628 -
\??\c:\hthnbn.exec:\hthnbn.exe41⤵
- Executes dropped EXE
PID:828 -
\??\c:\7ppjd.exec:\7ppjd.exe42⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rflxrxr.exec:\rflxrxr.exe43⤵
- Executes dropped EXE
PID:4972 -
\??\c:\frfrfxl.exec:\frfrfxl.exe44⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nbtnhn.exec:\nbtnhn.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dvvpj.exec:\dvvpj.exe46⤵PID:2708
-
\??\c:\rrxxlrx.exec:\rrxxlrx.exe47⤵
- Executes dropped EXE
PID:2552 -
\??\c:\nnnnhn.exec:\nnnnhn.exe48⤵
- Executes dropped EXE
PID:4620 -
\??\c:\btbtbh.exec:\btbtbh.exe49⤵
- Executes dropped EXE
PID:3932 -
\??\c:\jjddv.exec:\jjddv.exe50⤵
- Executes dropped EXE
PID:856 -
\??\c:\9pjjd.exec:\9pjjd.exe51⤵
- Executes dropped EXE
PID:3960 -
\??\c:\fllffff.exec:\fllffff.exe52⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tntnhh.exec:\tntnhh.exe53⤵
- Executes dropped EXE
PID:3300 -
\??\c:\thbthh.exec:\thbthh.exe54⤵
- Executes dropped EXE
PID:4588 -
\??\c:\pddpj.exec:\pddpj.exe55⤵
- Executes dropped EXE
PID:3544 -
\??\c:\ddpjv.exec:\ddpjv.exe56⤵
- Executes dropped EXE
PID:996 -
\??\c:\7rrrlff.exec:\7rrrlff.exe57⤵
- Executes dropped EXE
PID:4116 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe58⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9ttnnn.exec:\9ttnnn.exe59⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bntbnh.exec:\bntbnh.exe60⤵
- Executes dropped EXE
PID:2592 -
\??\c:\dpppp.exec:\dpppp.exe61⤵
- Executes dropped EXE
PID:4984 -
\??\c:\llfrxfx.exec:\llfrxfx.exe62⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rlxrffx.exec:\rlxrffx.exe63⤵
- Executes dropped EXE
PID:1036 -
\??\c:\ttthhb.exec:\ttthhb.exe64⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jpjjd.exec:\jpjjd.exe65⤵
- Executes dropped EXE
PID:4396 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe66⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fxrrllr.exec:\fxrrllr.exe67⤵PID:3000
-
\??\c:\5ntnnh.exec:\5ntnnh.exe68⤵PID:2440
-
\??\c:\thhhhh.exec:\thhhhh.exe69⤵PID:4944
-
\??\c:\pjjdv.exec:\pjjdv.exe70⤵PID:2844
-
\??\c:\flrrlfx.exec:\flrrlfx.exe71⤵PID:1472
-
\??\c:\ttnhtt.exec:\ttnhtt.exe72⤵PID:5024
-
\??\c:\hnnhtt.exec:\hnnhtt.exe73⤵PID:2104
-
\??\c:\thhbtt.exec:\thhbtt.exe74⤵PID:1432
-
\??\c:\ddvpj.exec:\ddvpj.exe75⤵PID:1280
-
\??\c:\3xlfflf.exec:\3xlfflf.exe76⤵PID:1888
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe77⤵PID:4936
-
\??\c:\ttnhbb.exec:\ttnhbb.exe78⤵PID:2396
-
\??\c:\vdvvj.exec:\vdvvj.exe79⤵PID:1236
-
\??\c:\vdvjd.exec:\vdvjd.exe80⤵PID:4440
-
\??\c:\5flxrrr.exec:\5flxrrr.exe81⤵PID:2628
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe82⤵PID:2460
-
\??\c:\hbnntt.exec:\hbnntt.exe83⤵PID:2624
-
\??\c:\pvvjd.exec:\pvvjd.exe84⤵PID:1444
-
\??\c:\7vjdv.exec:\7vjdv.exe85⤵PID:4004
-
\??\c:\xflfrrl.exec:\xflfrrl.exe86⤵PID:1844
-
\??\c:\nhtttn.exec:\nhtttn.exe87⤵PID:532
-
\??\c:\tntnhn.exec:\tntnhn.exe88⤵PID:1876
-
\??\c:\pdvpj.exec:\pdvpj.exe89⤵PID:4236
-
\??\c:\rxrxrfr.exec:\rxrxrfr.exe90⤵PID:4332
-
\??\c:\tbhbnn.exec:\tbhbnn.exe91⤵PID:4924
-
\??\c:\vdvpj.exec:\vdvpj.exe92⤵PID:4312
-
\??\c:\djdvj.exec:\djdvj.exe93⤵PID:2036
-
\??\c:\lfrfxll.exec:\lfrfxll.exe94⤵PID:4044
-
\??\c:\nhbbnn.exec:\nhbbnn.exe95⤵PID:3944
-
\??\c:\hbhhbt.exec:\hbhhbt.exe96⤵PID:2348
-
\??\c:\jvddp.exec:\jvddp.exe97⤵PID:1716
-
\??\c:\pppdv.exec:\pppdv.exe98⤵PID:3860
-
\??\c:\xxffrrf.exec:\xxffrrf.exe99⤵PID:1332
-
\??\c:\tnnbtn.exec:\tnnbtn.exe100⤵PID:1212
-
\??\c:\hbtnbb.exec:\hbtnbb.exe101⤵PID:2400
-
\??\c:\pjjdv.exec:\pjjdv.exe102⤵PID:4504
-
\??\c:\1dpjj.exec:\1dpjj.exe103⤵PID:900
-
\??\c:\fllffxf.exec:\fllffxf.exe104⤵PID:4616
-
\??\c:\hnnttt.exec:\hnnttt.exe105⤵PID:4484
-
\??\c:\1nnhtn.exec:\1nnhtn.exe106⤵PID:4412
-
\??\c:\vpjdp.exec:\vpjdp.exe107⤵PID:904
-
\??\c:\xxlxrrr.exec:\xxlxrrr.exe108⤵PID:3876
-
\??\c:\btbnhn.exec:\btbnhn.exe109⤵PID:1208
-
\??\c:\9bhbbb.exec:\9bhbbb.exe110⤵PID:224
-
\??\c:\pjpjd.exec:\pjpjd.exe111⤵PID:2064
-
\??\c:\dvdvd.exec:\dvdvd.exe112⤵PID:3544
-
\??\c:\rlrrlfr.exec:\rlrrlfr.exe113⤵PID:996
-
\??\c:\bnnhtn.exec:\bnnhtn.exe114⤵PID:2596
-
\??\c:\thhtnh.exec:\thhtnh.exe115⤵PID:2016
-
\??\c:\dpdpd.exec:\dpdpd.exe116⤵PID:4260
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe117⤵PID:3216
-
\??\c:\xffllll.exec:\xffllll.exe118⤵PID:4844
-
\??\c:\tntnhh.exec:\tntnhh.exe119⤵PID:3740
-
\??\c:\vpjvv.exec:\vpjvv.exe120⤵PID:2932
-
\??\c:\pjjdp.exec:\pjjdp.exe121⤵PID:2736
-
\??\c:\tnthtt.exec:\tnthtt.exe122⤵PID:4420
-
\??\c:\hbhtnh.exec:\hbhtnh.exe123⤵PID:1912
-
\??\c:\vpvpv.exec:\vpvpv.exe124⤵PID:4572
-
\??\c:\bbbtnn.exec:\bbbtnn.exe125⤵PID:4812
-
\??\c:\vvjdv.exec:\vvjdv.exe126⤵PID:3964
-
\??\c:\xxlfffl.exec:\xxlfffl.exe127⤵PID:2816
-
\??\c:\1djvp.exec:\1djvp.exe128⤵PID:3344
-
\??\c:\vpddd.exec:\vpddd.exe129⤵PID:632
-
\??\c:\ffxrffx.exec:\ffxrffx.exe130⤵PID:2260
-
\??\c:\hhhtnn.exec:\hhhtnn.exe131⤵PID:4560
-
\??\c:\nttnnn.exec:\nttnnn.exe132⤵PID:1028
-
\??\c:\pvvjd.exec:\pvvjd.exe133⤵PID:428
-
\??\c:\pvdvp.exec:\pvdvp.exe134⤵PID:3604
-
\??\c:\lrllllf.exec:\lrllllf.exe135⤵PID:1236
-
\??\c:\lrrflff.exec:\lrrflff.exe136⤵PID:5072
-
\??\c:\bttnhh.exec:\bttnhh.exe137⤵PID:1612
-
\??\c:\tnttnn.exec:\tnttnn.exe138⤵PID:1048
-
\??\c:\pjvpj.exec:\pjvpj.exe139⤵PID:3204
-
\??\c:\vvvpj.exec:\vvvpj.exe140⤵PID:2456
-
\??\c:\rrrlllf.exec:\rrrlllf.exe141⤵PID:4264
-
\??\c:\5rrrllf.exec:\5rrrllf.exe142⤵PID:4988
-
\??\c:\nnnnhh.exec:\nnnnhh.exe143⤵PID:4500
-
\??\c:\nnnhbt.exec:\nnnhbt.exe144⤵PID:4524
-
\??\c:\pvdvd.exec:\pvdvd.exe145⤵PID:4088
-
\??\c:\jjdvp.exec:\jjdvp.exe146⤵PID:1928
-
\??\c:\hnttnn.exec:\hnttnn.exe147⤵PID:3944
-
\??\c:\ppvvd.exec:\ppvvd.exe148⤵PID:2348
-
\??\c:\rffxrrr.exec:\rffxrrr.exe149⤵PID:1716
-
\??\c:\hnnttt.exec:\hnnttt.exe150⤵PID:912
-
\??\c:\jddvv.exec:\jddvv.exe151⤵PID:1664
-
\??\c:\ppvpp.exec:\ppvpp.exe152⤵PID:1212
-
\??\c:\hhnttn.exec:\hhnttn.exe153⤵PID:3928
-
\??\c:\hntttt.exec:\hntttt.exe154⤵PID:3612
-
\??\c:\lrxfxrr.exec:\lrxfxrr.exe155⤵PID:4160
-
\??\c:\lrrrxxr.exec:\lrrrxxr.exe156⤵PID:2340
-
\??\c:\thttnn.exec:\thttnn.exe157⤵PID:3468
-
\??\c:\tttttt.exec:\tttttt.exe158⤵PID:2068
-
\??\c:\ddjdd.exec:\ddjdd.exe159⤵PID:4404
-
\??\c:\ffrlllx.exec:\ffrlllx.exe160⤵PID:3920
-
\??\c:\fffffff.exec:\fffffff.exe161⤵PID:3540
-
\??\c:\hhttbb.exec:\hhttbb.exe162⤵PID:4552
-
\??\c:\thnhnn.exec:\thnhnn.exe163⤵PID:3224
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe164⤵PID:3848
-
\??\c:\btnnnh.exec:\btnnnh.exe165⤵PID:3828
-
\??\c:\nbbttb.exec:\nbbttb.exe166⤵PID:2760
-
\??\c:\pddvp.exec:\pddvp.exe167⤵PID:2032
-
\??\c:\xllfxrl.exec:\xllfxrl.exe168⤵PID:3384
-
\??\c:\flrrrrl.exec:\flrrrrl.exe169⤵PID:4980
-
\??\c:\ttnnhh.exec:\ttnnhh.exe170⤵PID:5016
-
\??\c:\pvvpv.exec:\pvvpv.exe171⤵PID:4916
-
\??\c:\dppjp.exec:\dppjp.exe172⤵PID:1160
-
\??\c:\xxfxxll.exec:\xxfxxll.exe173⤵PID:2684
-
\??\c:\rlffrrl.exec:\rlffrrl.exe174⤵PID:4340
-
\??\c:\nnhbbb.exec:\nnhbbb.exe175⤵PID:4348
-
\??\c:\jjdvp.exec:\jjdvp.exe176⤵PID:4976
-
\??\c:\7jjjd.exec:\7jjjd.exe177⤵PID:3152
-
\??\c:\dpdjv.exec:\dpdjv.exe178⤵PID:3640
-
\??\c:\rllrfxr.exec:\rllrfxr.exe179⤵PID:1228
-
\??\c:\ntttnb.exec:\ntttnb.exe180⤵PID:2132
-
\??\c:\vpjdv.exec:\vpjdv.exe181⤵PID:4780
-
\??\c:\vppjv.exec:\vppjv.exe182⤵PID:1472
-
\??\c:\lrrllll.exec:\lrrllll.exe183⤵PID:5024
-
\??\c:\rflllll.exec:\rflllll.exe184⤵PID:668
-
\??\c:\hbbtnn.exec:\hbbtnn.exe185⤵PID:1280
-
\??\c:\bttnhb.exec:\bttnhb.exe186⤵PID:408
-
\??\c:\jjjjj.exec:\jjjjj.exe187⤵PID:2328
-
\??\c:\rflfrll.exec:\rflfrll.exe188⤵PID:2268
-
\??\c:\lllfffx.exec:\lllfffx.exe189⤵PID:4232
-
\??\c:\7hhnnt.exec:\7hhnnt.exe190⤵PID:2628
-
\??\c:\bttnht.exec:\bttnht.exe191⤵PID:5040
-
\??\c:\jdjdv.exec:\jdjdv.exe192⤵PID:116
-
\??\c:\9xxrxxr.exec:\9xxrxxr.exe193⤵PID:1572
-
\??\c:\fllrrxx.exec:\fllrrxx.exe194⤵PID:3404
-
\??\c:\5nttbb.exec:\5nttbb.exe195⤵PID:4236
-
\??\c:\jpjdv.exec:\jpjdv.exe196⤵PID:4604
-
\??\c:\jdddv.exec:\jdddv.exe197⤵PID:3648
-
\??\c:\rrxrxfr.exec:\rrxrxfr.exe198⤵PID:4932
-
\??\c:\xffffxf.exec:\xffffxf.exe199⤵PID:4044
-
\??\c:\hthbtn.exec:\hthbtn.exe200⤵PID:3076
-
\??\c:\tntnnn.exec:\tntnnn.exe201⤵PID:1184
-
\??\c:\pvdvp.exec:\pvdvp.exe202⤵PID:1420
-
\??\c:\pdjjd.exec:\pdjjd.exe203⤵PID:3040
-
\??\c:\xfrfrfx.exec:\xfrfrfx.exe204⤵PID:4476
-
\??\c:\lxrrlrl.exec:\lxrrlrl.exe205⤵PID:1332
-
\??\c:\tbnnhh.exec:\tbnnhh.exe206⤵PID:4300
-
\??\c:\dvvpd.exec:\dvvpd.exe207⤵PID:4504
-
\??\c:\xrxlxxr.exec:\xrxlxxr.exe208⤵PID:900
-
\??\c:\fffxrlf.exec:\fffxrlf.exe209⤵PID:4912
-
\??\c:\bnnthh.exec:\bnnthh.exe210⤵PID:3588
-
\??\c:\dpjpd.exec:\dpjpd.exe211⤵PID:1964
-
\??\c:\1djdv.exec:\1djdv.exe212⤵PID:2540
-
\??\c:\5flfffx.exec:\5flfffx.exe213⤵PID:3388
-
\??\c:\xrllfrr.exec:\xrllfrr.exe214⤵PID:208
-
\??\c:\1bbbth.exec:\1bbbth.exe215⤵PID:4180
-
\??\c:\pjjjv.exec:\pjjjv.exe216⤵PID:2592
-
\??\c:\rxffxxx.exec:\rxffxxx.exe217⤵PID:4980
-
\??\c:\llfxxxr.exec:\llfxxxr.exe218⤵PID:212
-
\??\c:\hbbhnh.exec:\hbbhnh.exe219⤵PID:2720
-
\??\c:\jppjp.exec:\jppjp.exe220⤵PID:2076
-
\??\c:\pdvvd.exec:\pdvvd.exe221⤵PID:2684
-
\??\c:\lflxxxr.exec:\lflxxxr.exe222⤵PID:4340
-
\??\c:\fxfxxrf.exec:\fxfxxrf.exe223⤵PID:2312
-
\??\c:\hntbtn.exec:\hntbtn.exe224⤵PID:3000
-
\??\c:\nnbbbb.exec:\nnbbbb.exe225⤵PID:1080
-
\??\c:\dvvpd.exec:\dvvpd.exe226⤵PID:3640
-
\??\c:\dvjdp.exec:\dvjdp.exe227⤵PID:3964
-
\??\c:\rlrlxxl.exec:\rlrlxxl.exe228⤵PID:4192
-
\??\c:\tnbnht.exec:\tnbnht.exe229⤵PID:4780
-
\??\c:\9jjdp.exec:\9jjdp.exe230⤵PID:4832
-
\??\c:\dppdp.exec:\dppdp.exe231⤵PID:2044
-
\??\c:\lffxlll.exec:\lffxlll.exe232⤵PID:4408
-
\??\c:\hbnnhn.exec:\hbnnhn.exe233⤵PID:1916
-
\??\c:\btnhtt.exec:\btnhtt.exe234⤵PID:4080
-
\??\c:\ppdvj.exec:\ppdvj.exe235⤵PID:2328
-
\??\c:\ffllfxx.exec:\ffllfxx.exe236⤵PID:2268
-
\??\c:\nttttb.exec:\nttttb.exe237⤵PID:2460
-
\??\c:\btnhbb.exec:\btnhbb.exe238⤵PID:4272
-
\??\c:\jdvpp.exec:\jdvpp.exe239⤵PID:4884
-
\??\c:\pjjdd.exec:\pjjdd.exe240⤵PID:1572
-
\??\c:\1xfxrxx.exec:\1xfxrxx.exe241⤵PID:3172
-
\??\c:\lrllffr.exec:\lrllffr.exe242⤵PID:4332