Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:25
Behavioral task
behavioral1
Sample
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe
-
Size
401KB
-
MD5
a28f8b1b77c473d40cbd24126057c790
-
SHA1
ddebcc4087b10b9f22dd66b0ab8e50f634342725
-
SHA256
84e5f90c2df0a0a9672eeeeae569ecd3a1e4e86089917a65dc9ca78bbc7738a9
-
SHA512
837f8d665ffd28d06efd75df6cb17672e68c93ecbed5d80b1dea45ec9b55628e9fd44579a0e22e285a323440161cace55ce4d84abf9ee43844c2ee23de9078f3
-
SSDEEP
6144:kcm4FmowdHoSph3Ymu8wdHoSM05d34iWRbzami3e:y4wFHoS3zuxHoSTd34iWRhiu
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3100-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/612-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4180-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3020-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/612-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-705-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-872-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xfxrrlx.exehtnhhb.exevvjvp.exelfrlfxr.exebnhbtn.exe3vddp.exe1vjdv.exexfxlxrl.exentthth.exe1vpjv.exehttntn.exefrxrrll.exe5tthbt.exexfxxxxr.exerxrfrlx.exejdpjj.exefrfxrlf.exehthtnh.exe5llxlfx.exevppdv.exethtnhb.exe1pjjj.exefrfrfxx.exevpjdv.exelxrrfxr.exehnttnt.exepvdvv.exelxxrffx.exedvdvp.exefffxllf.exedppdv.exenthtnh.exe9bttnn.exe5pvjd.exebnnhbb.exepvjdv.exerlrfxrl.exenhhbnb.exedvvpj.exevdjjj.exerlxrrlf.exenntnbt.exejdjdj.exellllxlf.exehtnbbb.exevddvp.exe7rrfrlf.exefrllxxl.exetnnbnn.exepdvjv.exe7dvjd.exe9rlfrlf.exenbbnhb.exejddvp.exefrrlffx.exellllffr.exenhbbnt.exeddvpd.exefrlfrrl.exebhbtnn.exethttnn.exepdjvd.exelxrfrlf.exelffxlfx.exepid process 2236 xfxrrlx.exe 2820 htnhhb.exe 412 vvjvp.exe 3160 lfrlfxr.exe 1148 bnhbtn.exe 3528 3vddp.exe 2912 1vjdv.exe 1836 xfxlxrl.exe 736 ntthth.exe 4876 1vpjv.exe 2124 httntn.exe 756 frxrrll.exe 1772 5tthbt.exe 1196 xfxxxxr.exe 824 rxrfrlx.exe 4080 jdpjj.exe 1408 frfxrlf.exe 4776 hthtnh.exe 1716 5llxlfx.exe 4256 vppdv.exe 4484 thtnhb.exe 612 1pjjj.exe 2920 frfrfxx.exe 3992 vpjdv.exe 3168 lxrrfxr.exe 904 hnttnt.exe 1036 pvdvv.exe 2768 lxxrffx.exe 4160 dvdvp.exe 2296 fffxllf.exe 3420 dppdv.exe 2880 nthtnh.exe 4592 9bttnn.exe 2944 5pvjd.exe 4200 bnnhbb.exe 1900 pvjdv.exe 3668 rlrfxrl.exe 2348 nhhbnb.exe 2044 dvvpj.exe 2788 vdjjj.exe 2236 rlxrrlf.exe 4772 nntnbt.exe 4272 jdjdj.exe 1500 llllxlf.exe 1056 htnbbb.exe 4180 vddvp.exe 3516 7rrfrlf.exe 1204 frllxxl.exe 3196 tnnbnn.exe 2304 pdvjv.exe 4972 7dvjd.exe 3560 9rlfrlf.exe 828 nbbnhb.exe 4084 jddvp.exe 4188 frrlffx.exe 4976 llllffr.exe 1920 nhbbnt.exe 2260 ddvpd.exe 5076 frlfrrl.exe 2744 bhbtnn.exe 2532 thttnn.exe 3268 pdjvd.exe 1668 lxrfrlf.exe 4552 lffxlfx.exe -
Processes:
resource yara_rule behavioral2/memory/3100-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3100-6-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xfxrrlx.exe upx C:\vvjvp.exe upx behavioral2/memory/2236-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2820-12-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\htnhhb.exe upx C:\lfrlfxr.exe upx behavioral2/memory/3160-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/412-23-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bnhbtn.exe upx behavioral2/memory/1148-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3528-37-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\3vddp.exe upx C:\1vjdv.exe upx behavioral2/memory/2912-44-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xfxlxrl.exe upx C:\ntthth.exe upx C:\1vpjv.exe upx behavioral2/memory/736-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4876-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4876-65-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\httntn.exe upx C:\frxrrll.exe upx behavioral2/memory/2124-72-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5tthbt.exe upx C:\xfxxxxr.exe upx behavioral2/memory/1772-81-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxrfrlx.exe upx behavioral2/memory/1196-87-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jdpjj.exe upx C:\frfxrlf.exe upx behavioral2/memory/4080-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1408-101-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hthtnh.exe upx C:\5llxlfx.exe upx behavioral2/memory/4776-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1716-117-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vppdv.exe upx behavioral2/memory/4256-122-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\thtnhb.exe upx C:\1pjjj.exe upx \??\c:\frfrfxx.exe upx behavioral2/memory/612-133-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vpjdv.exe upx behavioral2/memory/3992-142-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lxrrfxr.exe upx C:\hnttnt.exe upx behavioral2/memory/904-155-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\pvdvv.exe upx C:\lxxrffx.exe upx C:\dvdvp.exe upx behavioral2/memory/4160-169-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\fffxllf.exe upx C:\dppdv.exe upx behavioral2/memory/2296-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3420-181-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nthtnh.exe upx behavioral2/memory/3420-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4592-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4200-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4200-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1900-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2044-211-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exexfxrrlx.exehtnhhb.exevvjvp.exelfrlfxr.exebnhbtn.exe3vddp.exe1vjdv.exexfxlxrl.exentthth.exe1vpjv.exehttntn.exefrxrrll.exe5tthbt.exexfxxxxr.exerxrfrlx.exejdpjj.exefrfxrlf.exehthtnh.exe5llxlfx.exevppdv.exethtnhb.exedescription pid process target process PID 3100 wrote to memory of 2236 3100 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe xfxrrlx.exe PID 3100 wrote to memory of 2236 3100 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe xfxrrlx.exe PID 3100 wrote to memory of 2236 3100 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe xfxrrlx.exe PID 2236 wrote to memory of 2820 2236 xfxrrlx.exe htnhhb.exe PID 2236 wrote to memory of 2820 2236 xfxrrlx.exe htnhhb.exe PID 2236 wrote to memory of 2820 2236 xfxrrlx.exe htnhhb.exe PID 2820 wrote to memory of 412 2820 htnhhb.exe vvjvp.exe PID 2820 wrote to memory of 412 2820 htnhhb.exe vvjvp.exe PID 2820 wrote to memory of 412 2820 htnhhb.exe vvjvp.exe PID 412 wrote to memory of 3160 412 vvjvp.exe lfrlfxr.exe PID 412 wrote to memory of 3160 412 vvjvp.exe lfrlfxr.exe PID 412 wrote to memory of 3160 412 vvjvp.exe lfrlfxr.exe PID 3160 wrote to memory of 1148 3160 lfrlfxr.exe bnhbtn.exe PID 3160 wrote to memory of 1148 3160 lfrlfxr.exe bnhbtn.exe PID 3160 wrote to memory of 1148 3160 lfrlfxr.exe bnhbtn.exe PID 1148 wrote to memory of 3528 1148 bnhbtn.exe 3vddp.exe PID 1148 wrote to memory of 3528 1148 bnhbtn.exe 3vddp.exe PID 1148 wrote to memory of 3528 1148 bnhbtn.exe 3vddp.exe PID 3528 wrote to memory of 2912 3528 3vddp.exe 1vjdv.exe PID 3528 wrote to memory of 2912 3528 3vddp.exe 1vjdv.exe PID 3528 wrote to memory of 2912 3528 3vddp.exe 1vjdv.exe PID 2912 wrote to memory of 1836 2912 1vjdv.exe xfxlxrl.exe PID 2912 wrote to memory of 1836 2912 1vjdv.exe xfxlxrl.exe PID 2912 wrote to memory of 1836 2912 1vjdv.exe xfxlxrl.exe PID 1836 wrote to memory of 736 1836 xfxlxrl.exe ntthth.exe PID 1836 wrote to memory of 736 1836 xfxlxrl.exe ntthth.exe PID 1836 wrote to memory of 736 1836 xfxlxrl.exe ntthth.exe PID 736 wrote to memory of 4876 736 ntthth.exe 1vpjv.exe PID 736 wrote to memory of 4876 736 ntthth.exe 1vpjv.exe PID 736 wrote to memory of 4876 736 ntthth.exe 1vpjv.exe PID 4876 wrote to memory of 2124 4876 1vpjv.exe httntn.exe PID 4876 wrote to memory of 2124 4876 1vpjv.exe httntn.exe PID 4876 wrote to memory of 2124 4876 1vpjv.exe httntn.exe PID 2124 wrote to memory of 756 2124 httntn.exe frxrrll.exe PID 2124 wrote to memory of 756 2124 httntn.exe frxrrll.exe PID 2124 wrote to memory of 756 2124 httntn.exe frxrrll.exe PID 756 wrote to memory of 1772 756 frxrrll.exe 5tthbt.exe PID 756 wrote to memory of 1772 756 frxrrll.exe 5tthbt.exe PID 756 wrote to memory of 1772 756 frxrrll.exe 5tthbt.exe PID 1772 wrote to memory of 1196 1772 5tthbt.exe xfxxxxr.exe PID 1772 wrote to memory of 1196 1772 5tthbt.exe xfxxxxr.exe PID 1772 wrote to memory of 1196 1772 5tthbt.exe xfxxxxr.exe PID 1196 wrote to memory of 824 1196 xfxxxxr.exe rxrfrlx.exe PID 1196 wrote to memory of 824 1196 xfxxxxr.exe rxrfrlx.exe PID 1196 wrote to memory of 824 1196 xfxxxxr.exe rxrfrlx.exe PID 824 wrote to memory of 4080 824 rxrfrlx.exe jdpjj.exe PID 824 wrote to memory of 4080 824 rxrfrlx.exe jdpjj.exe PID 824 wrote to memory of 4080 824 rxrfrlx.exe jdpjj.exe PID 4080 wrote to memory of 1408 4080 jdpjj.exe frfxrlf.exe PID 4080 wrote to memory of 1408 4080 jdpjj.exe frfxrlf.exe PID 4080 wrote to memory of 1408 4080 jdpjj.exe frfxrlf.exe PID 1408 wrote to memory of 4776 1408 frfxrlf.exe hthtnh.exe PID 1408 wrote to memory of 4776 1408 frfxrlf.exe hthtnh.exe PID 1408 wrote to memory of 4776 1408 frfxrlf.exe hthtnh.exe PID 4776 wrote to memory of 1716 4776 hthtnh.exe 5llxlfx.exe PID 4776 wrote to memory of 1716 4776 hthtnh.exe 5llxlfx.exe PID 4776 wrote to memory of 1716 4776 hthtnh.exe 5llxlfx.exe PID 1716 wrote to memory of 4256 1716 5llxlfx.exe vppdv.exe PID 1716 wrote to memory of 4256 1716 5llxlfx.exe vppdv.exe PID 1716 wrote to memory of 4256 1716 5llxlfx.exe vppdv.exe PID 4256 wrote to memory of 4484 4256 vppdv.exe thtnhb.exe PID 4256 wrote to memory of 4484 4256 vppdv.exe thtnhb.exe PID 4256 wrote to memory of 4484 4256 vppdv.exe thtnhb.exe PID 4484 wrote to memory of 612 4484 thtnhb.exe 1pjjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\xfxrrlx.exec:\xfxrrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\htnhhb.exec:\htnhhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\vvjvp.exec:\vvjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\bnhbtn.exec:\bnhbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\3vddp.exec:\3vddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\1vjdv.exec:\1vjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xfxlxrl.exec:\xfxlxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\ntthth.exec:\ntthth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\1vpjv.exec:\1vpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\httntn.exec:\httntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\frxrrll.exec:\frxrrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\5tthbt.exec:\5tthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\xfxxxxr.exec:\xfxxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\jdpjj.exec:\jdpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\frfxrlf.exec:\frfxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\hthtnh.exec:\hthtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\5llxlfx.exec:\5llxlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\vppdv.exec:\vppdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\thtnhb.exec:\thtnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\1pjjj.exec:\1pjjj.exe23⤵
- Executes dropped EXE
PID:612 -
\??\c:\frfrfxx.exec:\frfrfxx.exe24⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vpjdv.exec:\vpjdv.exe25⤵
- Executes dropped EXE
PID:3992 -
\??\c:\lxrrfxr.exec:\lxrrfxr.exe26⤵
- Executes dropped EXE
PID:3168 -
\??\c:\hnttnt.exec:\hnttnt.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\pvdvv.exec:\pvdvv.exe28⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lxxrffx.exec:\lxxrffx.exe29⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dvdvp.exec:\dvdvp.exe30⤵
- Executes dropped EXE
PID:4160 -
\??\c:\fffxllf.exec:\fffxllf.exe31⤵
- Executes dropped EXE
PID:2296 -
\??\c:\dppdv.exec:\dppdv.exe32⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nthtnh.exec:\nthtnh.exe33⤵
- Executes dropped EXE
PID:2880 -
\??\c:\9bttnn.exec:\9bttnn.exe34⤵
- Executes dropped EXE
PID:4592 -
\??\c:\5pvjd.exec:\5pvjd.exe35⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bnnhbb.exec:\bnnhbb.exe36⤵
- Executes dropped EXE
PID:4200 -
\??\c:\pvjdv.exec:\pvjdv.exe37⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe38⤵
- Executes dropped EXE
PID:3668 -
\??\c:\nhhbnb.exec:\nhhbnb.exe39⤵
- Executes dropped EXE
PID:2348 -
\??\c:\dvvpj.exec:\dvvpj.exe40⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vdjjj.exec:\vdjjj.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe42⤵
- Executes dropped EXE
PID:2236 -
\??\c:\nntnbt.exec:\nntnbt.exe43⤵
- Executes dropped EXE
PID:4772 -
\??\c:\jdjdj.exec:\jdjdj.exe44⤵
- Executes dropped EXE
PID:4272 -
\??\c:\llllxlf.exec:\llllxlf.exe45⤵
- Executes dropped EXE
PID:1500 -
\??\c:\htnbbb.exec:\htnbbb.exe46⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vddvp.exec:\vddvp.exe47⤵
- Executes dropped EXE
PID:4180 -
\??\c:\7rrfrlf.exec:\7rrfrlf.exe48⤵
- Executes dropped EXE
PID:3516 -
\??\c:\frllxxl.exec:\frllxxl.exe49⤵
- Executes dropped EXE
PID:1204 -
\??\c:\tnnbnn.exec:\tnnbnn.exe50⤵
- Executes dropped EXE
PID:3196 -
\??\c:\pdvjv.exec:\pdvjv.exe51⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7dvjd.exec:\7dvjd.exe52⤵
- Executes dropped EXE
PID:4972 -
\??\c:\9rlfrlf.exec:\9rlfrlf.exe53⤵
- Executes dropped EXE
PID:3560 -
\??\c:\nbbnhb.exec:\nbbnhb.exe54⤵
- Executes dropped EXE
PID:828 -
\??\c:\jddvp.exec:\jddvp.exe55⤵
- Executes dropped EXE
PID:4084 -
\??\c:\frrlffx.exec:\frrlffx.exe56⤵
- Executes dropped EXE
PID:4188 -
\??\c:\llllffr.exec:\llllffr.exe57⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nhbbnt.exec:\nhbbnt.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\ddvpd.exec:\ddvpd.exe59⤵
- Executes dropped EXE
PID:2260 -
\??\c:\frlfrrl.exec:\frlfrrl.exe60⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bhbtnn.exec:\bhbtnn.exe61⤵
- Executes dropped EXE
PID:2744 -
\??\c:\thttnn.exec:\thttnn.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pdjvd.exec:\pdjvd.exe63⤵
- Executes dropped EXE
PID:3268 -
\??\c:\lxrfrlf.exec:\lxrfrlf.exe64⤵
- Executes dropped EXE
PID:1668 -
\??\c:\lffxlfx.exec:\lffxlfx.exe65⤵
- Executes dropped EXE
PID:4552 -
\??\c:\nntnhn.exec:\nntnhn.exe66⤵PID:4776
-
\??\c:\hbhttn.exec:\hbhttn.exe67⤵PID:1716
-
\??\c:\pdjvp.exec:\pdjvp.exe68⤵PID:3020
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe69⤵PID:2384
-
\??\c:\xxrlffr.exec:\xxrlffr.exe70⤵PID:4568
-
\??\c:\nbtnhb.exec:\nbtnhb.exe71⤵PID:612
-
\??\c:\bhbthb.exec:\bhbthb.exe72⤵PID:1420
-
\??\c:\dpvjd.exec:\dpvjd.exe73⤵PID:3972
-
\??\c:\xxxxrrx.exec:\xxxxrrx.exe74⤵PID:3436
-
\??\c:\xrfxrrx.exec:\xrfxrrx.exe75⤵PID:4452
-
\??\c:\7nnbtn.exec:\7nnbtn.exe76⤵PID:2796
-
\??\c:\bthtnn.exec:\bthtnn.exe77⤵PID:2052
-
\??\c:\vjjdv.exec:\vjjdv.exe78⤵PID:2852
-
\??\c:\rrfxlxl.exec:\rrfxlxl.exe79⤵PID:3960
-
\??\c:\lxxrffr.exec:\lxxrffr.exe80⤵PID:4160
-
\??\c:\tbbtbt.exec:\tbbtbt.exe81⤵PID:4840
-
\??\c:\pjvdj.exec:\pjvdj.exe82⤵PID:1644
-
\??\c:\llflfll.exec:\llflfll.exe83⤵PID:4704
-
\??\c:\rxxfxrl.exec:\rxxfxrl.exe84⤵PID:4460
-
\??\c:\tnnbtn.exec:\tnnbtn.exe85⤵PID:820
-
\??\c:\dvdvp.exec:\dvdvp.exe86⤵PID:1612
-
\??\c:\frxlfxr.exec:\frxlfxr.exe87⤵PID:1060
-
\??\c:\nnhtnh.exec:\nnhtnh.exe88⤵PID:4984
-
\??\c:\bnntnn.exec:\bnntnn.exe89⤵PID:4428
-
\??\c:\7pvpd.exec:\7pvpd.exe90⤵PID:3384
-
\??\c:\fxfxflf.exec:\fxfxflf.exe91⤵PID:1120
-
\??\c:\ffxrrll.exec:\ffxrrll.exe92⤵PID:4496
-
\??\c:\tbhbbt.exec:\tbhbbt.exe93⤵PID:2820
-
\??\c:\ppdpj.exec:\ppdpj.exe94⤵PID:412
-
\??\c:\hnbntb.exec:\hnbntb.exe95⤵PID:3640
-
\??\c:\djjdv.exec:\djjdv.exe96⤵PID:1540
-
\??\c:\llxrrrr.exec:\llxrrrr.exe97⤵PID:2164
-
\??\c:\xxlfxfr.exec:\xxlfxfr.exe98⤵PID:2152
-
\??\c:\hnnhbb.exec:\hnnhbb.exe99⤵PID:2912
-
\??\c:\jvvpj.exec:\jvvpj.exe100⤵PID:3248
-
\??\c:\rfxrxxr.exec:\rfxrxxr.exe101⤵PID:4580
-
\??\c:\5btnhb.exec:\5btnhb.exe102⤵PID:4528
-
\??\c:\hbtttt.exec:\hbtttt.exe103⤵PID:3536
-
\??\c:\jddjd.exec:\jddjd.exe104⤵PID:4824
-
\??\c:\3lrllfl.exec:\3lrllfl.exe105⤵PID:2080
-
\??\c:\thhtnh.exec:\thhtnh.exe106⤵PID:2268
-
\??\c:\1htnnb.exec:\1htnnb.exe107⤵PID:3208
-
\??\c:\pppdp.exec:\pppdp.exe108⤵PID:1916
-
\??\c:\llxflxl.exec:\llxflxl.exe109⤵PID:2260
-
\??\c:\3nhthb.exec:\3nhthb.exe110⤵PID:816
-
\??\c:\jpvjd.exec:\jpvjd.exe111⤵PID:3616
-
\??\c:\7jdvp.exec:\7jdvp.exe112⤵PID:2532
-
\??\c:\1flfrlx.exec:\1flfrlx.exe113⤵PID:3204
-
\??\c:\tnhbth.exec:\tnhbth.exe114⤵PID:1668
-
\??\c:\dppjj.exec:\dppjj.exe115⤵PID:4552
-
\??\c:\djppp.exec:\djppp.exe116⤵PID:4776
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe117⤵PID:1716
-
\??\c:\3ttbnh.exec:\3ttbnh.exe118⤵PID:1796
-
\??\c:\bhtnht.exec:\bhtnht.exe119⤵PID:2384
-
\??\c:\pddvp.exec:\pddvp.exe120⤵PID:4568
-
\??\c:\3llfxxx.exec:\3llfxxx.exe121⤵PID:612
-
\??\c:\rlrffxx.exec:\rlrffxx.exe122⤵PID:1420
-
\??\c:\5tnhbb.exec:\5tnhbb.exe123⤵PID:680
-
\??\c:\3jdvv.exec:\3jdvv.exe124⤵PID:3436
-
\??\c:\3llfxrl.exec:\3llfxrl.exe125⤵PID:2244
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe126⤵PID:2768
-
\??\c:\bhhbnh.exec:\bhhbnh.exe127⤵PID:4156
-
\??\c:\dppjv.exec:\dppjv.exe128⤵PID:1820
-
\??\c:\dvdpj.exec:\dvdpj.exe129⤵PID:4464
-
\??\c:\1xrlxxl.exec:\1xrlxxl.exe130⤵PID:1644
-
\??\c:\ntbttn.exec:\ntbttn.exe131⤵PID:3480
-
\??\c:\3jpjj.exec:\3jpjj.exe132⤵PID:3780
-
\??\c:\vddvp.exec:\vddvp.exe133⤵PID:3460
-
\??\c:\flrlxrl.exec:\flrlxrl.exe134⤵PID:2348
-
\??\c:\llfrlfx.exec:\llfrlfx.exe135⤵PID:2044
-
\??\c:\httnnh.exec:\httnnh.exe136⤵PID:1304
-
\??\c:\jpppp.exec:\jpppp.exe137⤵PID:4572
-
\??\c:\jpvpj.exec:\jpvpj.exe138⤵PID:1056
-
\??\c:\xrrllff.exec:\xrrllff.exe139⤵PID:1908
-
\??\c:\nhhtnn.exec:\nhhtnn.exe140⤵PID:1540
-
\??\c:\vppdj.exec:\vppdj.exe141⤵PID:2164
-
\??\c:\rlrlxlx.exec:\rlrlxlx.exe142⤵PID:4276
-
\??\c:\nhtnnn.exec:\nhtnnn.exe143⤵PID:4408
-
\??\c:\5vpjv.exec:\5vpjv.exe144⤵PID:4404
-
\??\c:\fxrrllf.exec:\fxrrllf.exe145⤵PID:3904
-
\??\c:\bnttbt.exec:\bnttbt.exe146⤵PID:4876
-
\??\c:\1jpjd.exec:\1jpjd.exe147⤵PID:2124
-
\??\c:\fxfxxxl.exec:\fxfxxxl.exe148⤵PID:2472
-
\??\c:\lrrlffx.exec:\lrrlffx.exe149⤵PID:4976
-
\??\c:\9ttnbb.exec:\9ttnbb.exe150⤵PID:3916
-
\??\c:\pvvpj.exec:\pvvpj.exe151⤵PID:1920
-
\??\c:\5dvjd.exec:\5dvjd.exe152⤵PID:2212
-
\??\c:\flffxrf.exec:\flffxrf.exe153⤵PID:2816
-
\??\c:\7hhtnb.exec:\7hhtnb.exe154⤵PID:1512
-
\??\c:\htnhbb.exec:\htnhbb.exe155⤵PID:3616
-
\??\c:\jvjdv.exec:\jvjdv.exe156⤵PID:4524
-
\??\c:\vpppj.exec:\vpppj.exe157⤵PID:4336
-
\??\c:\rflfrlx.exec:\rflfrlx.exe158⤵PID:4048
-
\??\c:\hbnhtn.exec:\hbnhtn.exe159⤵PID:4552
-
\??\c:\btbnhb.exec:\btbnhb.exe160⤵PID:4776
-
\??\c:\jjpjd.exec:\jjpjd.exe161⤵PID:2784
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe162⤵PID:1620
-
\??\c:\fxlxxrx.exec:\fxlxxrx.exe163⤵PID:3588
-
\??\c:\3nbtnh.exec:\3nbtnh.exe164⤵PID:4568
-
\??\c:\pdvjd.exec:\pdvjd.exe165⤵PID:2920
-
\??\c:\ffxxlfx.exec:\ffxxlfx.exe166⤵PID:2544
-
\??\c:\fxxfxxr.exec:\fxxfxxr.exe167⤵PID:3496
-
\??\c:\nbhbbb.exec:\nbhbbb.exe168⤵PID:5056
-
\??\c:\djjdj.exec:\djjdj.exe169⤵PID:3168
-
\??\c:\xflrfxr.exec:\xflrfxr.exe170⤵PID:2796
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe171⤵PID:2052
-
\??\c:\tnnhbt.exec:\tnnhbt.exe172⤵PID:1516
-
\??\c:\9vpvj.exec:\9vpvj.exe173⤵PID:4060
-
\??\c:\rffxrll.exec:\rffxrll.exe174⤵PID:4652
-
\??\c:\lrrlfrl.exec:\lrrlfrl.exe175⤵PID:3928
-
\??\c:\btbhhh.exec:\btbhhh.exe176⤵PID:4168
-
\??\c:\ppjjd.exec:\ppjjd.exe177⤵PID:2888
-
\??\c:\7jpjd.exec:\7jpjd.exe178⤵PID:3652
-
\??\c:\lrxfxxx.exec:\lrxfxxx.exe179⤵PID:4420
-
\??\c:\hnthbt.exec:\hnthbt.exe180⤵PID:2348
-
\??\c:\pjpjd.exec:\pjpjd.exe181⤵PID:4496
-
\??\c:\ddjdd.exec:\ddjdd.exe182⤵PID:1304
-
\??\c:\3rlxrll.exec:\3rlxrll.exe183⤵PID:4572
-
\??\c:\thhbbt.exec:\thhbbt.exe184⤵PID:2004
-
\??\c:\bnnhtn.exec:\bnnhtn.exe185⤵PID:1192
-
\??\c:\pppvd.exec:\pppvd.exe186⤵PID:4968
-
\??\c:\lrlfxxf.exec:\lrlfxxf.exe187⤵PID:464
-
\??\c:\7lrlllr.exec:\7lrlllr.exe188⤵PID:1816
-
\??\c:\tnthnh.exec:\tnthnh.exe189⤵PID:3196
-
\??\c:\vjjdv.exec:\vjjdv.exe190⤵PID:2304
-
\??\c:\xfrxrxx.exec:\xfrxrxx.exe191⤵PID:3560
-
\??\c:\3tnhbt.exec:\3tnhbt.exe192⤵PID:1832
-
\??\c:\jpdvv.exec:\jpdvv.exe193⤵PID:4796
-
\??\c:\pddvp.exec:\pddvp.exe194⤵PID:4492
-
\??\c:\llllffx.exec:\llllffx.exe195⤵PID:2160
-
\??\c:\1tbbtt.exec:\1tbbtt.exe196⤵PID:1028
-
\??\c:\vvpvv.exec:\vvpvv.exe197⤵PID:4700
-
\??\c:\rllxrlx.exec:\rllxrlx.exe198⤵PID:4356
-
\??\c:\lfxlrrf.exec:\lfxlrrf.exe199⤵PID:2212
-
\??\c:\bbnbbh.exec:\bbnbbh.exe200⤵PID:624
-
\??\c:\vvpjd.exec:\vvpjd.exe201⤵PID:1512
-
\??\c:\rfxlfff.exec:\rfxlfff.exe202⤵PID:4268
-
\??\c:\lllffll.exec:\lllffll.exe203⤵PID:4524
-
\??\c:\hhnnnt.exec:\hhnnnt.exe204⤵PID:4336
-
\??\c:\pdjjj.exec:\pdjjj.exe205⤵PID:3176
-
\??\c:\xlxrlff.exec:\xlxrlff.exe206⤵PID:4552
-
\??\c:\tntttt.exec:\tntttt.exe207⤵PID:4664
-
\??\c:\dpvvj.exec:\dpvvj.exe208⤵PID:3068
-
\??\c:\jvddp.exec:\jvddp.exe209⤵PID:4872
-
\??\c:\llfxfff.exec:\llfxfff.exe210⤵PID:2896
-
\??\c:\hthbtt.exec:\hthbtt.exe211⤵PID:4568
-
\??\c:\5jppp.exec:\5jppp.exe212⤵PID:2920
-
\??\c:\vvjjp.exec:\vvjjp.exe213⤵PID:2544
-
\??\c:\1fxxlfl.exec:\1fxxlfl.exe214⤵PID:3496
-
\??\c:\3ttttb.exec:\3ttttb.exe215⤵PID:2256
-
\??\c:\hbbttn.exec:\hbbttn.exe216⤵PID:3388
-
\??\c:\jdjjj.exec:\jdjjj.exe217⤵PID:2796
-
\??\c:\lxfffff.exec:\lxfffff.exe218⤵PID:4156
-
\??\c:\tnttnt.exec:\tnttnt.exe219⤵PID:1452
-
\??\c:\hbnnnn.exec:\hbnnnn.exe220⤵PID:4612
-
\??\c:\pjjjd.exec:\pjjjd.exe221⤵PID:4656
-
\??\c:\7rfxrlf.exec:\7rfxrlf.exe222⤵PID:3104
-
\??\c:\ttnbtn.exec:\ttnbtn.exe223⤵PID:4488
-
\??\c:\vvddd.exec:\vvddd.exe224⤵PID:4428
-
\??\c:\djvvv.exec:\djvvv.exe225⤵PID:1348
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe226⤵PID:3524
-
\??\c:\3bbnhh.exec:\3bbnhh.exe227⤵PID:4496
-
\??\c:\1ddvj.exec:\1ddvj.exe228⤵PID:1304
-
\??\c:\vjpjj.exec:\vjpjj.exe229⤵PID:4944
-
\??\c:\7lrrxfl.exec:\7lrrxfl.exe230⤵PID:2004
-
\??\c:\hbhthb.exec:\hbhthb.exe231⤵PID:1192
-
\??\c:\vdvpd.exec:\vdvpd.exe232⤵PID:4808
-
\??\c:\ffxfrlr.exec:\ffxfrlr.exe233⤵PID:2076
-
\??\c:\hthntn.exec:\hthntn.exe234⤵PID:2000
-
\??\c:\hhttbh.exec:\hhttbh.exe235⤵PID:2980
-
\??\c:\5vddd.exec:\5vddd.exe236⤵PID:2152
-
\??\c:\xflffff.exec:\xflffff.exe237⤵PID:3968
-
\??\c:\3bhbth.exec:\3bhbth.exe238⤵PID:3316
-
\??\c:\7pdvp.exec:\7pdvp.exe239⤵PID:4004
-
\??\c:\lflfxxr.exec:\lflfxxr.exe240⤵PID:828
-
\??\c:\5nnbtn.exec:\5nnbtn.exe241⤵PID:3560
-
\??\c:\htbbth.exec:\htbbth.exe242⤵PID:4884