Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:23
Behavioral task
behavioral1
Sample
a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe
-
Size
453KB
-
MD5
a23635fd34c3e0832c2af0cd303a8500
-
SHA1
f5dc9d6284d2991ee7e68918f0c3a28dc7320a50
-
SHA256
20d6d34f7f315bfe0b81365f99db2f8d9d7b84d4fbb39f6a00b48bc44e5dcbdc
-
SHA512
47870d540fc12a43af31f647dd00c7b74502e33fdec1f48f90b5bf8d625af1f1f5408db7f5d8d7ac49c93daf8d88f2651a7f211339c241a8ea3178a1d8f8899f
-
SSDEEP
6144:rcm4FmowdHoSphraHcpOaKHpXfRo0V8JcgE+ezpg1xrloBNTNms:x4wFHoS3eFaKHpv/VycgE81lgv
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4472-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1308-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4044-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2872-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/912-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2688-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-570-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-612-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-645-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-676-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-687-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jdvvv.exerffrfrf.exevjjvj.exerlfllxr.exevdvvp.exenbhbtn.exe5rlfrlx.exejpjvp.exe5jjvp.exetntbtn.exe1dpdp.exelrxlfxr.exepdjpd.exerrrflfr.exebnhbnn.exepddvp.exebbbttt.exejjpvp.exellrfffl.exebnhthh.exejjvjv.exexlrlxrl.exenhnnnn.exeflfrrxl.exefflrfxl.exenhnbnh.exedvvpd.exentnbbt.exepdvvp.exenbbhtn.exentthbb.exelffxxrr.exenhbtbh.exe1pjdv.exehtnbnh.exennbnbn.exejdjdv.exefrlrlxx.exe7bhbbb.exetnnhtn.exe7jjvj.exe1rlffll.exebnbttn.exeppdvd.exevddvj.exexlxflrr.exehhtnhb.exedpvpv.exepjjjd.exellrfxrf.exerxxlffr.exenbhbnn.exepdvpd.exefxfffff.exe7xfrffx.exehtnbtn.exejvdvv.exeppvjp.exexfffxff.exebnnbtn.exebbnbbn.exerflflff.exebbtthh.exennbhnh.exepid process 4472 jdvvv.exe 4344 rffrfrf.exe 1180 vjjvj.exe 5108 rlfllxr.exe 1880 vdvvp.exe 5080 nbhbtn.exe 2396 5rlfrlx.exe 2444 jpjvp.exe 3440 5jjvp.exe 2980 tntbtn.exe 2656 1dpdp.exe 2624 lrxlfxr.exe 4848 pdjpd.exe 4148 rrrflfr.exe 4184 bnhbnn.exe 3552 pddvp.exe 3772 bbbttt.exe 4432 jjpvp.exe 1308 llrfffl.exe 2924 bnhthh.exe 1164 jjvjv.exe 3524 xlrlxrl.exe 4920 nhnnnn.exe 2632 flfrrxl.exe 4044 fflrfxl.exe 3136 nhnbnh.exe 2856 dvvpd.exe 924 ntnbbt.exe 216 pdvvp.exe 3752 nbbhtn.exe 4500 ntthbb.exe 2972 lffxxrr.exe 4552 nhbtbh.exe 3564 1pjdv.exe 4740 htnbnh.exe 3760 nnbnbn.exe 1996 jdjdv.exe 4360 frlrlxx.exe 208 7bhbbb.exe 2872 tnnhtn.exe 1192 7jjvj.exe 3476 1rlffll.exe 912 bnbttn.exe 2396 ppdvd.exe 5028 vddvj.exe 3440 xlxflrr.exe 2688 hhtnhb.exe 4320 dpvpv.exe 4956 pjjjd.exe 4508 llrfxrf.exe 2520 rxxlffr.exe 3096 nbhbnn.exe 3820 pdvpd.exe 544 fxfffff.exe 732 7xfrffx.exe 1716 htnbtn.exe 4340 jvdvv.exe 3756 ppvjp.exe 892 xfffxff.exe 3132 bnnbtn.exe 1308 bbnbbn.exe 2112 rflflff.exe 1268 bbtthh.exe 3624 nnbhnh.exe -
Processes:
resource yara_rule behavioral2/memory/1724-0-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jdvvv.exe upx behavioral2/memory/4472-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1724-6-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rffrfrf.exe upx C:\vjjvj.exe upx C:\rlfllxr.exe upx behavioral2/memory/5108-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1180-23-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vdvvp.exe upx behavioral2/memory/1880-30-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nbhbtn.exe upx behavioral2/memory/1880-36-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5rlfrlx.exe upx behavioral2/memory/5080-41-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jpjvp.exe upx behavioral2/memory/2444-52-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5jjvp.exe upx behavioral2/memory/3440-54-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tntbtn.exe upx behavioral2/memory/2980-64-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\1dpdp.exe upx behavioral2/memory/2656-67-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrxlfxr.exe upx behavioral2/memory/2624-75-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pdjpd.exe upx behavioral2/memory/4848-81-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrrflfr.exe upx C:\bnhbnn.exe upx behavioral2/memory/4148-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4184-91-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pddvp.exe upx C:\bbbttt.exe upx behavioral2/memory/3552-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3772-103-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjpvp.exe upx behavioral2/memory/4432-109-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\llrfffl.exe upx C:\bnhthh.exe upx behavioral2/memory/1308-118-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jjvjv.exe upx behavioral2/memory/1164-126-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlrlxrl.exe upx C:\nhnnnn.exe upx \??\c:\fflrfxl.exe upx behavioral2/memory/4044-147-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhnbnh.exe upx behavioral2/memory/4044-153-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvvpd.exe upx behavioral2/memory/3136-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4920-141-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\flfrrxl.exe upx C:\ntnbbt.exe upx behavioral2/memory/2856-164-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pdvvp.exe upx \??\c:\nbbhtn.exe upx behavioral2/memory/216-176-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\ntthbb.exe upx behavioral2/memory/4500-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3752-183-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lffxxrr.exe upx behavioral2/memory/2972-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4552-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2872-216-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exejdvvv.exerffrfrf.exevjjvj.exerlfllxr.exevdvvp.exenbhbtn.exe5rlfrlx.exejpjvp.exe5jjvp.exetntbtn.exe1dpdp.exelrxlfxr.exepdjpd.exerrrflfr.exebnhbnn.exepddvp.exebbbttt.exejjpvp.exellrfffl.exebnhthh.exejjvjv.exedescription pid process target process PID 1724 wrote to memory of 4472 1724 a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe jdvvv.exe PID 1724 wrote to memory of 4472 1724 a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe jdvvv.exe PID 1724 wrote to memory of 4472 1724 a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe jdvvv.exe PID 4472 wrote to memory of 4344 4472 jdvvv.exe rffrfrf.exe PID 4472 wrote to memory of 4344 4472 jdvvv.exe rffrfrf.exe PID 4472 wrote to memory of 4344 4472 jdvvv.exe rffrfrf.exe PID 4344 wrote to memory of 1180 4344 rffrfrf.exe vjjvj.exe PID 4344 wrote to memory of 1180 4344 rffrfrf.exe vjjvj.exe PID 4344 wrote to memory of 1180 4344 rffrfrf.exe vjjvj.exe PID 1180 wrote to memory of 5108 1180 vjjvj.exe rlfllxr.exe PID 1180 wrote to memory of 5108 1180 vjjvj.exe rlfllxr.exe PID 1180 wrote to memory of 5108 1180 vjjvj.exe rlfllxr.exe PID 5108 wrote to memory of 1880 5108 rlfllxr.exe vdvvp.exe PID 5108 wrote to memory of 1880 5108 rlfllxr.exe vdvvp.exe PID 5108 wrote to memory of 1880 5108 rlfllxr.exe vdvvp.exe PID 1880 wrote to memory of 5080 1880 vdvvp.exe nbhbtn.exe PID 1880 wrote to memory of 5080 1880 vdvvp.exe nbhbtn.exe PID 1880 wrote to memory of 5080 1880 vdvvp.exe nbhbtn.exe PID 5080 wrote to memory of 2396 5080 nbhbtn.exe 5rlfrlx.exe PID 5080 wrote to memory of 2396 5080 nbhbtn.exe 5rlfrlx.exe PID 5080 wrote to memory of 2396 5080 nbhbtn.exe 5rlfrlx.exe PID 2396 wrote to memory of 2444 2396 5rlfrlx.exe jpjvp.exe PID 2396 wrote to memory of 2444 2396 5rlfrlx.exe jpjvp.exe PID 2396 wrote to memory of 2444 2396 5rlfrlx.exe jpjvp.exe PID 2444 wrote to memory of 3440 2444 jpjvp.exe 5jjvp.exe PID 2444 wrote to memory of 3440 2444 jpjvp.exe 5jjvp.exe PID 2444 wrote to memory of 3440 2444 jpjvp.exe 5jjvp.exe PID 3440 wrote to memory of 2980 3440 5jjvp.exe tntbtn.exe PID 3440 wrote to memory of 2980 3440 5jjvp.exe tntbtn.exe PID 3440 wrote to memory of 2980 3440 5jjvp.exe tntbtn.exe PID 2980 wrote to memory of 2656 2980 tntbtn.exe 1dpdp.exe PID 2980 wrote to memory of 2656 2980 tntbtn.exe 1dpdp.exe PID 2980 wrote to memory of 2656 2980 tntbtn.exe 1dpdp.exe PID 2656 wrote to memory of 2624 2656 1dpdp.exe lrxlfxr.exe PID 2656 wrote to memory of 2624 2656 1dpdp.exe lrxlfxr.exe PID 2656 wrote to memory of 2624 2656 1dpdp.exe lrxlfxr.exe PID 2624 wrote to memory of 4848 2624 lrxlfxr.exe pdjpd.exe PID 2624 wrote to memory of 4848 2624 lrxlfxr.exe pdjpd.exe PID 2624 wrote to memory of 4848 2624 lrxlfxr.exe pdjpd.exe PID 4848 wrote to memory of 4148 4848 pdjpd.exe rrrflfr.exe PID 4848 wrote to memory of 4148 4848 pdjpd.exe rrrflfr.exe PID 4848 wrote to memory of 4148 4848 pdjpd.exe rrrflfr.exe PID 4148 wrote to memory of 4184 4148 rrrflfr.exe bnhbnn.exe PID 4148 wrote to memory of 4184 4148 rrrflfr.exe bnhbnn.exe PID 4148 wrote to memory of 4184 4148 rrrflfr.exe bnhbnn.exe PID 4184 wrote to memory of 3552 4184 bnhbnn.exe pddvp.exe PID 4184 wrote to memory of 3552 4184 bnhbnn.exe pddvp.exe PID 4184 wrote to memory of 3552 4184 bnhbnn.exe pddvp.exe PID 3552 wrote to memory of 3772 3552 pddvp.exe bbbttt.exe PID 3552 wrote to memory of 3772 3552 pddvp.exe bbbttt.exe PID 3552 wrote to memory of 3772 3552 pddvp.exe bbbttt.exe PID 3772 wrote to memory of 4432 3772 bbbttt.exe jjpvp.exe PID 3772 wrote to memory of 4432 3772 bbbttt.exe jjpvp.exe PID 3772 wrote to memory of 4432 3772 bbbttt.exe jjpvp.exe PID 4432 wrote to memory of 1308 4432 jjpvp.exe llrfffl.exe PID 4432 wrote to memory of 1308 4432 jjpvp.exe llrfffl.exe PID 4432 wrote to memory of 1308 4432 jjpvp.exe llrfffl.exe PID 1308 wrote to memory of 2924 1308 llrfffl.exe bnhthh.exe PID 1308 wrote to memory of 2924 1308 llrfffl.exe bnhthh.exe PID 1308 wrote to memory of 2924 1308 llrfffl.exe bnhthh.exe PID 2924 wrote to memory of 1164 2924 bnhthh.exe jjvjv.exe PID 2924 wrote to memory of 1164 2924 bnhthh.exe jjvjv.exe PID 2924 wrote to memory of 1164 2924 bnhthh.exe jjvjv.exe PID 1164 wrote to memory of 3524 1164 jjvjv.exe xlrlxrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a23635fd34c3e0832c2af0cd303a8500_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jdvvv.exec:\jdvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\rffrfrf.exec:\rffrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\vjjvj.exec:\vjjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\rlfllxr.exec:\rlfllxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\vdvvp.exec:\vdvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\nbhbtn.exec:\nbhbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\5rlfrlx.exec:\5rlfrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\jpjvp.exec:\jpjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\5jjvp.exec:\5jjvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\tntbtn.exec:\tntbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\1dpdp.exec:\1dpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\pdjpd.exec:\pdjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\rrrflfr.exec:\rrrflfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\bnhbnn.exec:\bnhbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\pddvp.exec:\pddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\bbbttt.exec:\bbbttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\jjpvp.exec:\jjpvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\llrfffl.exec:\llrfffl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\bnhthh.exec:\bnhthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\jjvjv.exec:\jjvjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe23⤵
- Executes dropped EXE
PID:3524 -
\??\c:\nhnnnn.exec:\nhnnnn.exe24⤵
- Executes dropped EXE
PID:4920 -
\??\c:\flfrrxl.exec:\flfrrxl.exe25⤵
- Executes dropped EXE
PID:2632 -
\??\c:\fflrfxl.exec:\fflrfxl.exe26⤵
- Executes dropped EXE
PID:4044 -
\??\c:\nhnbnh.exec:\nhnbnh.exe27⤵
- Executes dropped EXE
PID:3136 -
\??\c:\dvvpd.exec:\dvvpd.exe28⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ntnbbt.exec:\ntnbbt.exe29⤵
- Executes dropped EXE
PID:924 -
\??\c:\pdvvp.exec:\pdvvp.exe30⤵
- Executes dropped EXE
PID:216 -
\??\c:\nbbhtn.exec:\nbbhtn.exe31⤵
- Executes dropped EXE
PID:3752 -
\??\c:\ntthbb.exec:\ntthbb.exe32⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lffxxrr.exec:\lffxxrr.exe33⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nhbtbh.exec:\nhbtbh.exe34⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1pjdv.exec:\1pjdv.exe35⤵
- Executes dropped EXE
PID:3564 -
\??\c:\htnbnh.exec:\htnbnh.exe36⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nnbnbn.exec:\nnbnbn.exe37⤵
- Executes dropped EXE
PID:3760 -
\??\c:\jdjdv.exec:\jdjdv.exe38⤵
- Executes dropped EXE
PID:1996 -
\??\c:\frlrlxx.exec:\frlrlxx.exe39⤵
- Executes dropped EXE
PID:4360 -
\??\c:\7bhbbb.exec:\7bhbbb.exe40⤵
- Executes dropped EXE
PID:208 -
\??\c:\tnnhtn.exec:\tnnhtn.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\7jjvj.exec:\7jjvj.exe42⤵
- Executes dropped EXE
PID:1192 -
\??\c:\1rlffll.exec:\1rlffll.exe43⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bnbttn.exec:\bnbttn.exe44⤵
- Executes dropped EXE
PID:912 -
\??\c:\ppdvd.exec:\ppdvd.exe45⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vddvj.exec:\vddvj.exe46⤵
- Executes dropped EXE
PID:5028 -
\??\c:\xlxflrr.exec:\xlxflrr.exe47⤵
- Executes dropped EXE
PID:3440 -
\??\c:\hhtnhb.exec:\hhtnhb.exe48⤵
- Executes dropped EXE
PID:2688 -
\??\c:\dpvpv.exec:\dpvpv.exe49⤵
- Executes dropped EXE
PID:4320 -
\??\c:\pjjjd.exec:\pjjjd.exe50⤵
- Executes dropped EXE
PID:4956 -
\??\c:\llrfxrf.exec:\llrfxrf.exe51⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rxxlffr.exec:\rxxlffr.exe52⤵
- Executes dropped EXE
PID:2520 -
\??\c:\nbhbnn.exec:\nbhbnn.exe53⤵
- Executes dropped EXE
PID:3096 -
\??\c:\pdvpd.exec:\pdvpd.exe54⤵
- Executes dropped EXE
PID:3820 -
\??\c:\fxfffff.exec:\fxfffff.exe55⤵
- Executes dropped EXE
PID:544 -
\??\c:\7xfrffx.exec:\7xfrffx.exe56⤵
- Executes dropped EXE
PID:732 -
\??\c:\htnbtn.exec:\htnbtn.exe57⤵
- Executes dropped EXE
PID:1716 -
\??\c:\jvdvv.exec:\jvdvv.exe58⤵
- Executes dropped EXE
PID:4340 -
\??\c:\ppvjp.exec:\ppvjp.exe59⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xfffxff.exec:\xfffxff.exe60⤵
- Executes dropped EXE
PID:892 -
\??\c:\bnnbtn.exec:\bnnbtn.exe61⤵
- Executes dropped EXE
PID:3132 -
\??\c:\bbnbbn.exec:\bbnbbn.exe62⤵
- Executes dropped EXE
PID:1308 -
\??\c:\rflflff.exec:\rflflff.exe63⤵
- Executes dropped EXE
PID:2112 -
\??\c:\bbtthh.exec:\bbtthh.exe64⤵
- Executes dropped EXE
PID:1268 -
\??\c:\nnbhnh.exec:\nnbhnh.exe65⤵
- Executes dropped EXE
PID:3624 -
\??\c:\jvjpd.exec:\jvjpd.exe66⤵PID:512
-
\??\c:\rffrfxl.exec:\rffrfxl.exe67⤵PID:3256
-
\??\c:\htthtn.exec:\htthtn.exe68⤵PID:1420
-
\??\c:\hnnbnn.exec:\hnnbnn.exe69⤵PID:2312
-
\??\c:\5jdpj.exec:\5jdpj.exe70⤵PID:2696
-
\??\c:\xllfrll.exec:\xllfrll.exe71⤵PID:3712
-
\??\c:\bbbthb.exec:\bbbthb.exe72⤵PID:4952
-
\??\c:\bntntn.exec:\bntntn.exe73⤵PID:2272
-
\??\c:\jvdpp.exec:\jvdpp.exe74⤵PID:224
-
\??\c:\frlxfxl.exec:\frlxfxl.exe75⤵PID:3884
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe76⤵PID:5000
-
\??\c:\nntnbt.exec:\nntnbt.exe77⤵PID:3752
-
\??\c:\jjjvv.exec:\jjjvv.exe78⤵PID:3504
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe79⤵PID:1080
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe80⤵PID:3936
-
\??\c:\nntnnn.exec:\nntnnn.exe81⤵PID:1724
-
\??\c:\vddpv.exec:\vddpv.exe82⤵PID:3768
-
\??\c:\vvpdp.exec:\vvpdp.exe83⤵PID:4740
-
\??\c:\rfxfrlf.exec:\rfxfrlf.exe84⤵PID:3760
-
\??\c:\ffxrrlf.exec:\ffxrrlf.exe85⤵PID:116
-
\??\c:\hnhthb.exec:\hnhthb.exe86⤵PID:4712
-
\??\c:\3vpdv.exec:\3vpdv.exe87⤵PID:3848
-
\??\c:\jpvjd.exec:\jpvjd.exe88⤵PID:1140
-
\??\c:\7flffxx.exec:\7flffxx.exe89⤵PID:1192
-
\??\c:\bnhtth.exec:\bnhtth.exe90⤵PID:4324
-
\??\c:\tbnbnh.exec:\tbnbnh.exe91⤵PID:4356
-
\??\c:\dddvp.exec:\dddvp.exe92⤵PID:964
-
\??\c:\9llxlfl.exec:\9llxlfl.exe93⤵PID:3244
-
\??\c:\tthbbb.exec:\tthbbb.exe94⤵PID:2224
-
\??\c:\thbnbt.exec:\thbnbt.exe95⤵PID:2404
-
\??\c:\jdjvj.exec:\jdjvj.exe96⤵PID:1916
-
\??\c:\lxxfxxr.exec:\lxxfxxr.exe97⤵PID:2624
-
\??\c:\thnbnh.exec:\thnbnh.exe98⤵PID:4036
-
\??\c:\bbhtnh.exec:\bbhtnh.exe99⤵PID:3576
-
\??\c:\3djdd.exec:\3djdd.exe100⤵PID:508
-
\??\c:\lxfrllf.exec:\lxfrllf.exe101⤵PID:4164
-
\??\c:\rxfrfxx.exec:\rxfrfxx.exe102⤵PID:4864
-
\??\c:\thhbbb.exec:\thhbbb.exe103⤵PID:732
-
\??\c:\nbthtn.exec:\nbthtn.exe104⤵PID:452
-
\??\c:\3ppdv.exec:\3ppdv.exe105⤵PID:4340
-
\??\c:\dddvp.exec:\dddvp.exe106⤵PID:2128
-
\??\c:\rllfrfx.exec:\rllfrfx.exe107⤵PID:4312
-
\??\c:\nbbnbn.exec:\nbbnbn.exe108⤵PID:3132
-
\??\c:\hhthth.exec:\hhthth.exe109⤵PID:2924
-
\??\c:\vpdpd.exec:\vpdpd.exe110⤵PID:552
-
\??\c:\jppjv.exec:\jppjv.exe111⤵PID:404
-
\??\c:\xllrfrl.exec:\xllrfrl.exe112⤵PID:3500
-
\??\c:\bbbnht.exec:\bbbnht.exe113⤵PID:1152
-
\??\c:\vjjdv.exec:\vjjdv.exe114⤵PID:2084
-
\??\c:\9lfrxrl.exec:\9lfrxrl.exe115⤵PID:464
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe116⤵PID:5008
-
\??\c:\nbtnbt.exec:\nbtnbt.exe117⤵PID:1972
-
\??\c:\jdvjj.exec:\jdvjj.exe118⤵PID:2880
-
\??\c:\pdjvj.exec:\pdjvj.exe119⤵PID:836
-
\??\c:\fxxfrxl.exec:\fxxfrxl.exe120⤵PID:3712
-
\??\c:\thbtht.exec:\thbtht.exe121⤵PID:4512
-
\??\c:\5nbnbn.exec:\5nbnbn.exe122⤵PID:4220
-
\??\c:\ppjvj.exec:\ppjvj.exe123⤵PID:224
-
\??\c:\xfffrlx.exec:\xfffrlx.exe124⤵PID:3884
-
\??\c:\flfrlfx.exec:\flfrlfx.exe125⤵PID:4576
-
\??\c:\hbhtnh.exec:\hbhtnh.exe126⤵PID:1284
-
\??\c:\pvdpd.exec:\pvdpd.exe127⤵PID:448
-
\??\c:\vddpj.exec:\vddpj.exe128⤵PID:2488
-
\??\c:\3lxrfrl.exec:\3lxrfrl.exe129⤵PID:2492
-
\??\c:\ntthtt.exec:\ntthtt.exe130⤵PID:4904
-
\??\c:\ppdpj.exec:\ppdpj.exe131⤵PID:1488
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe132⤵PID:3760
-
\??\c:\xfrrfxr.exec:\xfrrfxr.exe133⤵PID:116
-
\??\c:\ttthth.exec:\ttthth.exe134⤵PID:4712
-
\??\c:\vpvvd.exec:\vpvvd.exe135⤵PID:4316
-
\??\c:\lrxlxrf.exec:\lrxlxrf.exe136⤵PID:2388
-
\??\c:\xllfxxl.exec:\xllfxxl.exe137⤵PID:2476
-
\??\c:\btbbtt.exec:\btbbtt.exe138⤵PID:4100
-
\??\c:\thhhtn.exec:\thhhtn.exe139⤵PID:4652
-
\??\c:\7vvpd.exec:\7vvpd.exe140⤵PID:3616
-
\??\c:\9flxrlf.exec:\9flxrlf.exe141⤵PID:848
-
\??\c:\bnhthb.exec:\bnhthb.exe142⤵PID:3700
-
\??\c:\bbbbtn.exec:\bbbbtn.exe143⤵PID:4320
-
\??\c:\pjvjj.exec:\pjvjj.exe144⤵PID:4956
-
\??\c:\fxfffrf.exec:\fxfffrf.exe145⤵PID:2468
-
\??\c:\hnthhb.exec:\hnthhb.exe146⤵PID:4848
-
\??\c:\nbthtt.exec:\nbthtt.exe147⤵PID:1016
-
\??\c:\vjpjv.exec:\vjpjv.exe148⤵PID:3172
-
\??\c:\flfxrlx.exec:\flfxrlx.exe149⤵PID:4588
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe150⤵PID:4580
-
\??\c:\hbhbhb.exec:\hbhbhb.exe151⤵PID:2592
-
\??\c:\pjpdd.exec:\pjpdd.exe152⤵PID:2128
-
\??\c:\3djdd.exec:\3djdd.exe153⤵PID:4616
-
\??\c:\rrfxfxx.exec:\rrfxfxx.exe154⤵PID:1580
-
\??\c:\nnbnbt.exec:\nnbnbt.exe155⤵PID:2924
-
\??\c:\bhtthh.exec:\bhtthh.exe156⤵PID:3948
-
\??\c:\dppjd.exec:\dppjd.exe157⤵PID:1780
-
\??\c:\xflfxrf.exec:\xflfxrf.exe158⤵PID:1008
-
\??\c:\tnhbnh.exec:\tnhbnh.exe159⤵PID:1152
-
\??\c:\tbthtn.exec:\tbthtn.exe160⤵PID:2632
-
\??\c:\pdpvv.exec:\pdpvv.exe161⤵PID:3256
-
\??\c:\flrfxlf.exec:\flrfxlf.exe162⤵PID:1972
-
\??\c:\hnhthb.exec:\hnhthb.exe163⤵PID:3136
-
\??\c:\nhbbtb.exec:\nhbbtb.exe164⤵PID:3188
-
\??\c:\5vjdp.exec:\5vjdp.exe165⤵PID:3328
-
\??\c:\xffrlfx.exec:\xffrlfx.exe166⤵PID:3304
-
\??\c:\tbnbnb.exec:\tbnbnb.exe167⤵PID:1472
-
\??\c:\thhbtt.exec:\thhbtt.exe168⤵PID:2488
-
\??\c:\pdjdj.exec:\pdjdj.exe169⤵PID:1920
-
\??\c:\jppjd.exec:\jppjd.exe170⤵PID:2932
-
\??\c:\rlfrfrf.exec:\rlfrfrf.exe171⤵PID:1488
-
\??\c:\bhhhtb.exec:\bhhhtb.exe172⤵PID:2296
-
\??\c:\dddpv.exec:\dddpv.exe173⤵PID:2872
-
\??\c:\1jvjv.exec:\1jvjv.exe174⤵PID:4968
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe175⤵PID:3420
-
\??\c:\hthbtn.exec:\hthbtn.exe176⤵PID:2388
-
\??\c:\hhhtnh.exec:\hhhtnh.exe177⤵PID:4476
-
\??\c:\ddvjv.exec:\ddvjv.exe178⤵PID:4116
-
\??\c:\rlrffxf.exec:\rlrffxf.exe179⤵PID:964
-
\??\c:\fxfrrff.exec:\fxfrrff.exe180⤵PID:4052
-
\??\c:\nhbthb.exec:\nhbthb.exe181⤵PID:4932
-
\??\c:\bnbnhb.exec:\bnbnhb.exe182⤵PID:4072
-
\??\c:\pdpdp.exec:\pdpdp.exe183⤵PID:3576
-
\??\c:\1lfxrrf.exec:\1lfxrrf.exe184⤵PID:3036
-
\??\c:\ttttnh.exec:\ttttnh.exe185⤵PID:4864
-
\??\c:\9vpvj.exec:\9vpvj.exe186⤵PID:3772
-
\??\c:\pjdpj.exec:\pjdpj.exe187⤵PID:3720
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe188⤵PID:3380
-
\??\c:\bbbtnn.exec:\bbbtnn.exe189⤵PID:3596
-
\??\c:\pjvpd.exec:\pjvpd.exe190⤵PID:3028
-
\??\c:\jvpdp.exec:\jvpdp.exe191⤵PID:1812
-
\??\c:\9ffrfxl.exec:\9ffrfxl.exe192⤵PID:1232
-
\??\c:\bthbtn.exec:\bthbtn.exe193⤵PID:948
-
\??\c:\hbnbbt.exec:\hbnbbt.exe194⤵PID:3500
-
\??\c:\vjpjp.exec:\vjpjp.exe195⤵PID:4884
-
\??\c:\rflffxf.exec:\rflffxf.exe196⤵PID:4428
-
\??\c:\hbbtnt.exec:\hbbtnt.exe197⤵PID:512
-
\??\c:\tntnnh.exec:\tntnnh.exe198⤵PID:3512
-
\??\c:\vjjpj.exec:\vjjpj.exe199⤵PID:852
-
\??\c:\llflfxl.exec:\llflfxl.exe200⤵PID:4640
-
\??\c:\nnhbtt.exec:\nnhbtt.exe201⤵PID:2856
-
\??\c:\ntthtn.exec:\ntthtn.exe202⤵PID:4988
-
\??\c:\jvdvp.exec:\jvdvp.exe203⤵PID:224
-
\??\c:\xlfrxlr.exec:\xlfrxlr.exe204⤵PID:4544
-
\??\c:\xrlflff.exec:\xrlflff.exe205⤵PID:4764
-
\??\c:\5bnhbt.exec:\5bnhbt.exe206⤵PID:1724
-
\??\c:\ddvpd.exec:\ddvpd.exe207⤵PID:3764
-
\??\c:\5rfxllx.exec:\5rfxllx.exe208⤵PID:4904
-
\??\c:\fllfffr.exec:\fllfffr.exe209⤵PID:3760
-
\??\c:\1hbthb.exec:\1hbthb.exe210⤵PID:3832
-
\??\c:\vpvpd.exec:\vpvpd.exe211⤵PID:2296
-
\??\c:\ppjpp.exec:\ppjpp.exe212⤵PID:2872
-
\??\c:\rxxrffr.exec:\rxxrffr.exe213⤵PID:4968
-
\??\c:\tnhbtn.exec:\tnhbtn.exe214⤵PID:3208
-
\??\c:\dvvjv.exec:\dvvjv.exe215⤵PID:2112
-
\??\c:\frfxfxr.exec:\frfxfxr.exe216⤵PID:3000
-
\??\c:\rfxlrxl.exec:\rfxlrxl.exe217⤵PID:3044
-
\??\c:\3hbtnn.exec:\3hbtnn.exe218⤵PID:4496
-
\??\c:\thnbnh.exec:\thnbnh.exe219⤵PID:3244
-
\??\c:\1dvjp.exec:\1dvjp.exe220⤵PID:1344
-
\??\c:\xrlxlxr.exec:\xrlxlxr.exe221⤵PID:4976
-
\??\c:\tnnhhh.exec:\tnnhhh.exe222⤵PID:2624
-
\??\c:\bhhtbt.exec:\bhhtbt.exe223⤵PID:4072
-
\??\c:\dpjdp.exec:\dpjdp.exe224⤵PID:4408
-
\??\c:\fxxfrlf.exec:\fxxfrlf.exe225⤵PID:2964
-
\??\c:\1bhbbt.exec:\1bhbbt.exe226⤵PID:3432
-
\??\c:\btthtn.exec:\btthtn.exe227⤵PID:544
-
\??\c:\3vdpd.exec:\3vdpd.exe228⤵PID:452
-
\??\c:\llrlxrf.exec:\llrlxrf.exe229⤵PID:3356
-
\??\c:\fllxrlx.exec:\fllxrlx.exe230⤵PID:3248
-
\??\c:\7hnbbt.exec:\7hnbbt.exe231⤵PID:3584
-
\??\c:\vpvjd.exec:\vpvjd.exe232⤵PID:1036
-
\??\c:\vpvpd.exec:\vpvpd.exe233⤵PID:3016
-
\??\c:\3rflffx.exec:\3rflffx.exe234⤵PID:2924
-
\??\c:\nbhbnn.exec:\nbhbnn.exe235⤵PID:2344
-
\??\c:\jpjpv.exec:\jpjpv.exe236⤵PID:3524
-
\??\c:\ffrlrrl.exec:\ffrlrrl.exe237⤵PID:3500
-
\??\c:\frlfxxl.exec:\frlfxxl.exe238⤵PID:4884
-
\??\c:\7bthbh.exec:\7bthbh.exe239⤵PID:4428
-
\??\c:\jpvpd.exec:\jpvpd.exe240⤵PID:4348
-
\??\c:\xfrlllx.exec:\xfrlllx.exe241⤵PID:2804
-
\??\c:\7tbttt.exec:\7tbttt.exe242⤵PID:852