Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:00
Behavioral task
behavioral1
Sample
9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe
-
Size
254KB
-
MD5
9ea6a163c18f982fb7be92e1f1ff1a40
-
SHA1
46fb2b9a7d7d86b774e09f213ec839ecf25416be
-
SHA256
2c95efc73516af405e5388b79bfcdd13c89d577a2547fccf2df13e5071af8e1e
-
SHA512
5b5deeb5194a24b6b307abdbbacedc4996e477ad3089336e57942555068f62cb5cd6bb31da861cf80b65a210fdced7dfef823a681bec1d66f39fb0455511c759
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfrz:y4wFHoS3eFaKHpKT9XvEhdfrz
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1376-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/528-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-499-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4672-506-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-753-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-780-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-863-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
bnnhhh.exebntttt.exebnbhhn.exejdjjj.exebbnnth.exehbttnn.exe9pjjp.exerlfllxx.exedvddd.exe1llllrr.exevdddv.exe5xffxfx.exehntnnh.exeppvjd.exerxllrrx.exehbttnn.exe7htbbn.exexfrlrfl.exexlrxfll.exevvppd.exe3pdpp.exennbbnn.exejjjjd.exerfrxfll.exelrfrrll.exehthnnt.exerxrffff.exebtnhtt.exepppjv.exerxrlfff.exehhtnbb.exevvvvd.exexxlllxf.exevpjjp.exeddddj.exelllllrr.exebtnnnt.exe3htnnn.exedvjpp.exerllffff.exe1nnnbn.exevvddv.exerrxxrrr.exellxffrx.exehnbhhn.exebntbht.exeppvvv.exe7xxxflr.exerxfffff.exettbbnn.exennhhhh.exeppvjj.exexllxxxx.exeflrrrxx.exethnnnt.exejdddv.exejjjdd.exe9fxxlll.exexrxrrxx.exenhttbh.exeddjvd.exevpvpj.exe9xlllrx.exebbtthn.exepid process 4232 bnnhhh.exe 2064 bntttt.exe 3900 bnbhhn.exe 4632 jdjjj.exe 4744 bbnnth.exe 2456 hbttnn.exe 4224 9pjjp.exe 2636 rlfllxx.exe 2368 dvddd.exe 760 1llllrr.exe 2056 vdddv.exe 4932 5xffxfx.exe 112 hntnnh.exe 1376 ppvjd.exe 1352 rxllrrx.exe 4604 hbttnn.exe 3308 7htbbn.exe 5072 xfrlrfl.exe 4676 xlrxfll.exe 2476 vvppd.exe 4000 3pdpp.exe 3084 nnbbnn.exe 4408 jjjjd.exe 4996 rfrxfll.exe 4520 lrfrrll.exe 2600 hthnnt.exe 2920 rxrffff.exe 4836 btnhtt.exe 1828 pppjv.exe 4476 rxrlfff.exe 2668 hhtnbb.exe 880 vvvvd.exe 3596 xxlllxf.exe 4824 vpjjp.exe 1640 ddddj.exe 3456 lllllrr.exe 1416 btnnnt.exe 2860 3htnnn.exe 1932 dvjpp.exe 4800 rllffff.exe 4232 1nnnbn.exe 4324 vvddv.exe 3728 rrxxrrr.exe 528 llxffrx.exe 4636 hnbhhn.exe 2416 bntbht.exe 1408 ppvvv.exe 2900 7xxxflr.exe 1720 rxfffff.exe 8 ttbbnn.exe 3940 nnhhhh.exe 3240 ppvjj.exe 2368 xllxxxx.exe 2204 flrrrxx.exe 1404 thnnnt.exe 4972 jdddv.exe 2892 jjjdd.exe 1432 9fxxlll.exe 3500 xrxrrxx.exe 548 nhttbh.exe 1352 ddjvd.exe 5092 vpvpj.exe 3300 9xlllrx.exe 4284 bbtthn.exe -
Processes:
resource yara_rule C:\bnnhhh.exe upx behavioral2/memory/4232-7-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bntttt.exe upx behavioral2/memory/4276-1-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bnbhhn.exe upx behavioral2/memory/2064-13-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\jdjjj.exe upx behavioral2/memory/3900-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-23-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bbnnth.exe upx behavioral2/memory/4632-31-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hbttnn.exe upx behavioral2/memory/2456-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4744-30-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\9pjjp.exe upx C:\rlfllxx.exe upx behavioral2/memory/2636-48-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvddd.exe upx behavioral2/memory/2636-52-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1llllrr.exe upx behavioral2/memory/2368-58-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vdddv.exe upx behavioral2/memory/760-65-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5xffxfx.exe upx behavioral2/memory/2056-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4932-72-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hntnnh.exe upx behavioral2/memory/4932-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/112-80-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppvjd.exe upx behavioral2/memory/1376-85-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxllrrx.exe upx behavioral2/memory/1352-92-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hbttnn.exe upx C:\7htbbn.exe upx behavioral2/memory/3308-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4604-98-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xfrlrfl.exe upx C:\xlrxfll.exe upx behavioral2/memory/5072-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4676-118-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vvppd.exe upx \??\c:\3pdpp.exe upx behavioral2/memory/4000-126-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nnbbnn.exe upx C:\jjjjd.exe upx behavioral2/memory/4408-138-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rfrxfll.exe upx behavioral2/memory/4996-146-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrfrrll.exe upx C:\hthnnt.exe upx behavioral2/memory/4520-150-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxrffff.exe upx behavioral2/memory/2600-158-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\btnhtt.exe upx C:\pppjv.exe upx C:\rxrlfff.exe upx C:\hhtnbb.exe upx \??\c:\vvvvd.exe upx behavioral2/memory/3596-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4824-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2860-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-214-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exebnnhhh.exebntttt.exebnbhhn.exejdjjj.exebbnnth.exehbttnn.exe9pjjp.exerlfllxx.exedvddd.exe1llllrr.exevdddv.exe5xffxfx.exehntnnh.exeppvjd.exerxllrrx.exehbttnn.exe7htbbn.exexfrlrfl.exexlrxfll.exevvppd.exe3pdpp.exedescription pid process target process PID 4276 wrote to memory of 4232 4276 9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe bnnhhh.exe PID 4276 wrote to memory of 4232 4276 9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe bnnhhh.exe PID 4276 wrote to memory of 4232 4276 9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe bnnhhh.exe PID 4232 wrote to memory of 2064 4232 bnnhhh.exe bntttt.exe PID 4232 wrote to memory of 2064 4232 bnnhhh.exe bntttt.exe PID 4232 wrote to memory of 2064 4232 bnnhhh.exe bntttt.exe PID 2064 wrote to memory of 3900 2064 bntttt.exe bnbhhn.exe PID 2064 wrote to memory of 3900 2064 bntttt.exe bnbhhn.exe PID 2064 wrote to memory of 3900 2064 bntttt.exe bnbhhn.exe PID 3900 wrote to memory of 4632 3900 bnbhhn.exe jdjjj.exe PID 3900 wrote to memory of 4632 3900 bnbhhn.exe jdjjj.exe PID 3900 wrote to memory of 4632 3900 bnbhhn.exe jdjjj.exe PID 4632 wrote to memory of 4744 4632 jdjjj.exe bbnnth.exe PID 4632 wrote to memory of 4744 4632 jdjjj.exe bbnnth.exe PID 4632 wrote to memory of 4744 4632 jdjjj.exe bbnnth.exe PID 4744 wrote to memory of 2456 4744 bbnnth.exe hbttnn.exe PID 4744 wrote to memory of 2456 4744 bbnnth.exe hbttnn.exe PID 4744 wrote to memory of 2456 4744 bbnnth.exe hbttnn.exe PID 2456 wrote to memory of 4224 2456 hbttnn.exe 9pjjp.exe PID 2456 wrote to memory of 4224 2456 hbttnn.exe 9pjjp.exe PID 2456 wrote to memory of 4224 2456 hbttnn.exe 9pjjp.exe PID 4224 wrote to memory of 2636 4224 9pjjp.exe rlfllxx.exe PID 4224 wrote to memory of 2636 4224 9pjjp.exe rlfllxx.exe PID 4224 wrote to memory of 2636 4224 9pjjp.exe rlfllxx.exe PID 2636 wrote to memory of 2368 2636 rlfllxx.exe dvddd.exe PID 2636 wrote to memory of 2368 2636 rlfllxx.exe dvddd.exe PID 2636 wrote to memory of 2368 2636 rlfllxx.exe dvddd.exe PID 2368 wrote to memory of 760 2368 dvddd.exe 1llllrr.exe PID 2368 wrote to memory of 760 2368 dvddd.exe 1llllrr.exe PID 2368 wrote to memory of 760 2368 dvddd.exe 1llllrr.exe PID 760 wrote to memory of 2056 760 1llllrr.exe vdddv.exe PID 760 wrote to memory of 2056 760 1llllrr.exe vdddv.exe PID 760 wrote to memory of 2056 760 1llllrr.exe vdddv.exe PID 2056 wrote to memory of 4932 2056 vdddv.exe 5xffxfx.exe PID 2056 wrote to memory of 4932 2056 vdddv.exe 5xffxfx.exe PID 2056 wrote to memory of 4932 2056 vdddv.exe 5xffxfx.exe PID 4932 wrote to memory of 112 4932 5xffxfx.exe hntnnh.exe PID 4932 wrote to memory of 112 4932 5xffxfx.exe hntnnh.exe PID 4932 wrote to memory of 112 4932 5xffxfx.exe hntnnh.exe PID 112 wrote to memory of 1376 112 hntnnh.exe ppvjd.exe PID 112 wrote to memory of 1376 112 hntnnh.exe ppvjd.exe PID 112 wrote to memory of 1376 112 hntnnh.exe ppvjd.exe PID 1376 wrote to memory of 1352 1376 ppvjd.exe rxllrrx.exe PID 1376 wrote to memory of 1352 1376 ppvjd.exe rxllrrx.exe PID 1376 wrote to memory of 1352 1376 ppvjd.exe rxllrrx.exe PID 1352 wrote to memory of 4604 1352 rxllrrx.exe hbttnn.exe PID 1352 wrote to memory of 4604 1352 rxllrrx.exe hbttnn.exe PID 1352 wrote to memory of 4604 1352 rxllrrx.exe hbttnn.exe PID 4604 wrote to memory of 3308 4604 hbttnn.exe 7htbbn.exe PID 4604 wrote to memory of 3308 4604 hbttnn.exe 7htbbn.exe PID 4604 wrote to memory of 3308 4604 hbttnn.exe 7htbbn.exe PID 3308 wrote to memory of 5072 3308 7htbbn.exe xfrlrfl.exe PID 3308 wrote to memory of 5072 3308 7htbbn.exe xfrlrfl.exe PID 3308 wrote to memory of 5072 3308 7htbbn.exe xfrlrfl.exe PID 5072 wrote to memory of 4676 5072 xfrlrfl.exe xlrxfll.exe PID 5072 wrote to memory of 4676 5072 xfrlrfl.exe xlrxfll.exe PID 5072 wrote to memory of 4676 5072 xfrlrfl.exe xlrxfll.exe PID 4676 wrote to memory of 2476 4676 xlrxfll.exe vvppd.exe PID 4676 wrote to memory of 2476 4676 xlrxfll.exe vvppd.exe PID 4676 wrote to memory of 2476 4676 xlrxfll.exe vvppd.exe PID 2476 wrote to memory of 4000 2476 vvppd.exe 3pdpp.exe PID 2476 wrote to memory of 4000 2476 vvppd.exe 3pdpp.exe PID 2476 wrote to memory of 4000 2476 vvppd.exe 3pdpp.exe PID 4000 wrote to memory of 3084 4000 3pdpp.exe nnbbnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9ea6a163c18f982fb7be92e1f1ff1a40_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\bnnhhh.exec:\bnnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\bntttt.exec:\bntttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\bnbhhn.exec:\bnbhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\jdjjj.exec:\jdjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\bbnnth.exec:\bbnnth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\hbttnn.exec:\hbttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\9pjjp.exec:\9pjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\rlfllxx.exec:\rlfllxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dvddd.exec:\dvddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\1llllrr.exec:\1llllrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\vdddv.exec:\vdddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\5xffxfx.exec:\5xffxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\hntnnh.exec:\hntnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\ppvjd.exec:\ppvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\rxllrrx.exec:\rxllrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\hbttnn.exec:\hbttnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\7htbbn.exec:\7htbbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\xfrlrfl.exec:\xfrlrfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\xlrxfll.exec:\xlrxfll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\vvppd.exec:\vvppd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\3pdpp.exec:\3pdpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\nnbbnn.exec:\nnbbnn.exe23⤵
- Executes dropped EXE
PID:3084 -
\??\c:\jjjjd.exec:\jjjjd.exe24⤵
- Executes dropped EXE
PID:4408 -
\??\c:\rfrxfll.exec:\rfrxfll.exe25⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lrfrrll.exec:\lrfrrll.exe26⤵
- Executes dropped EXE
PID:4520 -
\??\c:\hthnnt.exec:\hthnnt.exe27⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rxrffff.exec:\rxrffff.exe28⤵
- Executes dropped EXE
PID:2920 -
\??\c:\btnhtt.exec:\btnhtt.exe29⤵
- Executes dropped EXE
PID:4836 -
\??\c:\pppjv.exec:\pppjv.exe30⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rxrlfff.exec:\rxrlfff.exe31⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hhtnbb.exec:\hhtnbb.exe32⤵
- Executes dropped EXE
PID:2668 -
\??\c:\vvvvd.exec:\vvvvd.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\xxlllxf.exec:\xxlllxf.exe34⤵
- Executes dropped EXE
PID:3596 -
\??\c:\vpjjp.exec:\vpjjp.exe35⤵
- Executes dropped EXE
PID:4824 -
\??\c:\ddddj.exec:\ddddj.exe36⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lllllrr.exec:\lllllrr.exe37⤵
- Executes dropped EXE
PID:3456 -
\??\c:\btnnnt.exec:\btnnnt.exe38⤵
- Executes dropped EXE
PID:1416 -
\??\c:\3htnnn.exec:\3htnnn.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\dvjpp.exec:\dvjpp.exe40⤵
- Executes dropped EXE
PID:1932 -
\??\c:\rllffff.exec:\rllffff.exe41⤵
- Executes dropped EXE
PID:4800 -
\??\c:\hbnhbt.exec:\hbnhbt.exe42⤵PID:4272
-
\??\c:\1nnnbn.exec:\1nnnbn.exe43⤵
- Executes dropped EXE
PID:4232 -
\??\c:\vvddv.exec:\vvddv.exe44⤵
- Executes dropped EXE
PID:4324 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe45⤵
- Executes dropped EXE
PID:3728 -
\??\c:\llxffrx.exec:\llxffrx.exe46⤵
- Executes dropped EXE
PID:528 -
\??\c:\hnbhhn.exec:\hnbhhn.exe47⤵
- Executes dropped EXE
PID:4636 -
\??\c:\bntbht.exec:\bntbht.exe48⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ppvvv.exec:\ppvvv.exe49⤵
- Executes dropped EXE
PID:1408 -
\??\c:\7xxxflr.exec:\7xxxflr.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\rxfffff.exec:\rxfffff.exe51⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ttbbnn.exec:\ttbbnn.exe52⤵
- Executes dropped EXE
PID:8 -
\??\c:\nnhhhh.exec:\nnhhhh.exe53⤵
- Executes dropped EXE
PID:3940 -
\??\c:\ppvjj.exec:\ppvjj.exe54⤵
- Executes dropped EXE
PID:3240 -
\??\c:\xllxxxx.exec:\xllxxxx.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\flrrrxx.exec:\flrrrxx.exe56⤵
- Executes dropped EXE
PID:2204 -
\??\c:\thnnnt.exec:\thnnnt.exe57⤵
- Executes dropped EXE
PID:1404 -
\??\c:\jdddv.exec:\jdddv.exe58⤵
- Executes dropped EXE
PID:4972 -
\??\c:\jjjdd.exec:\jjjdd.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9fxxlll.exec:\9fxxlll.exe60⤵
- Executes dropped EXE
PID:1432 -
\??\c:\xrxrrxx.exec:\xrxrrxx.exe61⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nhttbh.exec:\nhttbh.exe62⤵
- Executes dropped EXE
PID:548 -
\??\c:\ddjvd.exec:\ddjvd.exe63⤵
- Executes dropped EXE
PID:1352 -
\??\c:\vpvpj.exec:\vpvpj.exe64⤵
- Executes dropped EXE
PID:5092 -
\??\c:\9xlllrx.exec:\9xlllrx.exe65⤵
- Executes dropped EXE
PID:3300 -
\??\c:\bbtthn.exec:\bbtthn.exe66⤵
- Executes dropped EXE
PID:4284 -
\??\c:\nnhhbt.exec:\nnhhbt.exe67⤵PID:1836
-
\??\c:\vpvpp.exec:\vpvpp.exe68⤵PID:4748
-
\??\c:\xxxxxff.exec:\xxxxxff.exe69⤵PID:4880
-
\??\c:\rfrflxf.exec:\rfrflxf.exe70⤵PID:4548
-
\??\c:\nhhbtt.exec:\nhhbtt.exe71⤵PID:2476
-
\??\c:\jpvjj.exec:\jpvjj.exe72⤵PID:4556
-
\??\c:\lllrrrf.exec:\lllrrrf.exe73⤵PID:2556
-
\??\c:\ttbbnn.exec:\ttbbnn.exe74⤵PID:4408
-
\??\c:\nhnhnn.exec:\nhnhnn.exe75⤵PID:2524
-
\??\c:\vdjpv.exec:\vdjpv.exe76⤵PID:4936
-
\??\c:\7llfxxl.exec:\7llfxxl.exe77⤵PID:1612
-
\??\c:\hbnhnn.exec:\hbnhnn.exe78⤵PID:2600
-
\??\c:\vvvvv.exec:\vvvvv.exe79⤵PID:3608
-
\??\c:\xllxlfr.exec:\xllxlfr.exe80⤵PID:2736
-
\??\c:\ttntnn.exec:\ttntnn.exe81⤵PID:3388
-
\??\c:\1jdvp.exec:\1jdvp.exe82⤵PID:4940
-
\??\c:\lrlxlxl.exec:\lrlxlxl.exe83⤵PID:3416
-
\??\c:\llrllll.exec:\llrllll.exe84⤵PID:2384
-
\??\c:\hbbbtn.exec:\hbbbtn.exe85⤵PID:4648
-
\??\c:\nhhhtn.exec:\nhhhtn.exe86⤵PID:4584
-
\??\c:\5jvdd.exec:\5jvdd.exe87⤵PID:3428
-
\??\c:\lrxlrfx.exec:\lrxlrfx.exe88⤵PID:3212
-
\??\c:\jdpdp.exec:\jdpdp.exe89⤵PID:1580
-
\??\c:\3vddp.exec:\3vddp.exe90⤵PID:3560
-
\??\c:\lfrfffl.exec:\lfrfffl.exe91⤵PID:3732
-
\??\c:\nhnbth.exec:\nhnbth.exe92⤵PID:3512
-
\??\c:\tntnhh.exec:\tntnhh.exe93⤵PID:4364
-
\??\c:\vdddv.exec:\vdddv.exe94⤵PID:4308
-
\??\c:\xfffxff.exec:\xfffxff.exe95⤵PID:4780
-
\??\c:\7frlffx.exec:\7frlffx.exe96⤵PID:4332
-
\??\c:\bnhbbb.exec:\bnhbbb.exe97⤵PID:3024
-
\??\c:\pppvv.exec:\pppvv.exe98⤵PID:3900
-
\??\c:\ddjdj.exec:\ddjdj.exe99⤵PID:440
-
\??\c:\3lrflfx.exec:\3lrflfx.exe100⤵PID:2184
-
\??\c:\bnbnhb.exec:\bnbnhb.exe101⤵PID:1108
-
\??\c:\ttbhtt.exec:\ttbhtt.exe102⤵PID:1720
-
\??\c:\vvvpj.exec:\vvvpj.exe103⤵PID:1380
-
\??\c:\3rllrrl.exec:\3rllrrl.exe104⤵PID:3244
-
\??\c:\nbbbtn.exec:\nbbbtn.exe105⤵PID:928
-
\??\c:\vdpjd.exec:\vdpjd.exe106⤵PID:1008
-
\??\c:\xfrrrxf.exec:\xfrrrxf.exe107⤵PID:3392
-
\??\c:\xxrrlrf.exec:\xxrrlrf.exe108⤵PID:1404
-
\??\c:\hnbnbt.exec:\hnbnbt.exe109⤵PID:3368
-
\??\c:\jvvdp.exec:\jvvdp.exe110⤵PID:736
-
\??\c:\lflllrr.exec:\lflllrr.exe111⤵PID:3696
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe112⤵PID:1664
-
\??\c:\nbthbb.exec:\nbthbb.exe113⤵PID:548
-
\??\c:\jjvpj.exec:\jjvpj.exe114⤵PID:1328
-
\??\c:\djpdv.exec:\djpdv.exe115⤵PID:5088
-
\??\c:\lrrrxff.exec:\lrrrxff.exe116⤵PID:4612
-
\??\c:\ntbttt.exec:\ntbttt.exe117⤵PID:4768
-
\??\c:\ttbtnb.exec:\ttbtnb.exe118⤵PID:4608
-
\??\c:\vjppd.exec:\vjppd.exe119⤵PID:4748
-
\??\c:\ffxfrxx.exec:\ffxfrxx.exe120⤵PID:2568
-
\??\c:\ffxxxff.exec:\ffxxxff.exe121⤵PID:4516
-
\??\c:\bhhtth.exec:\bhhtth.exe122⤵PID:3084
-
\??\c:\jjvjj.exec:\jjvjj.exe123⤵PID:1228
-
\??\c:\dddvp.exec:\dddvp.exe124⤵PID:4132
-
\??\c:\5rfxffl.exec:\5rfxffl.exe125⤵PID:2840
-
\??\c:\9nhhhb.exec:\9nhhhb.exe126⤵PID:2308
-
\??\c:\tntnnh.exec:\tntnnh.exe127⤵PID:4672
-
\??\c:\3djjv.exec:\3djjv.exe128⤵PID:2392
-
\??\c:\rxlxrxr.exec:\rxlxrxr.exe129⤵PID:4876
-
\??\c:\5rfflrx.exec:\5rfflrx.exe130⤵PID:4476
-
\??\c:\nnnhhh.exec:\nnnhhh.exe131⤵PID:4304
-
\??\c:\tnnnhh.exec:\tnnnhh.exe132⤵PID:3044
-
\??\c:\pvdvp.exec:\pvdvp.exe133⤵PID:3428
-
\??\c:\lxrrllf.exec:\lxrrllf.exe134⤵PID:4960
-
\??\c:\rffxxxr.exec:\rffxxxr.exe135⤵PID:4968
-
\??\c:\nbtnnn.exec:\nbtnnn.exe136⤵PID:264
-
\??\c:\1jpvv.exec:\1jpvv.exe137⤵PID:1932
-
\??\c:\3rfffll.exec:\3rfffll.exe138⤵PID:4152
-
\??\c:\hbnnnn.exec:\hbnnnn.exe139⤵PID:1516
-
\??\c:\hhtbnb.exec:\hhtbnb.exe140⤵PID:1116
-
\??\c:\frffllr.exec:\frffllr.exe141⤵PID:3552
-
\??\c:\9hnhhh.exec:\9hnhhh.exe142⤵PID:628
-
\??\c:\btthbn.exec:\btthbn.exe143⤵PID:5048
-
\??\c:\7bthnn.exec:\7bthnn.exe144⤵PID:2912
-
\??\c:\nhtthn.exec:\nhtthn.exe145⤵PID:820
-
\??\c:\llrrrrx.exec:\llrrrrx.exe146⤵PID:4536
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe147⤵PID:60
-
\??\c:\nbntbh.exec:\nbntbh.exe148⤵PID:1236
-
\??\c:\jvdpp.exec:\jvdpp.exe149⤵PID:4872
-
\??\c:\vpddj.exec:\vpddj.exe150⤵PID:1832
-
\??\c:\rlllllr.exec:\rlllllr.exe151⤵PID:3764
-
\??\c:\hhbbhb.exec:\hhbbhb.exe152⤵PID:4580
-
\??\c:\pdpvp.exec:\pdpvp.exe153⤵PID:4500
-
\??\c:\3jjjj.exec:\3jjjj.exe154⤵PID:2112
-
\??\c:\xrffxxx.exec:\xrffxxx.exe155⤵PID:1292
-
\??\c:\bthnnn.exec:\bthnnn.exe156⤵PID:2244
-
\??\c:\7pvvv.exec:\7pvvv.exe157⤵PID:3880
-
\??\c:\djpjd.exec:\djpjd.exe158⤵PID:4552
-
\??\c:\fxrrxff.exec:\fxrrxff.exe159⤵PID:1328
-
\??\c:\hbtttb.exec:\hbtttb.exe160⤵PID:3156
-
\??\c:\dvppd.exec:\dvppd.exe161⤵PID:2740
-
\??\c:\jjvvd.exec:\jjvvd.exe162⤵PID:4976
-
\??\c:\xxrxlrl.exec:\xxrxlrl.exe163⤵PID:1260
-
\??\c:\nthhhh.exec:\nthhhh.exe164⤵PID:4000
-
\??\c:\ntttnn.exec:\ntttnn.exe165⤵PID:2476
-
\??\c:\vjddd.exec:\vjddd.exe166⤵PID:4556
-
\??\c:\1rxxxfl.exec:\1rxxxfl.exe167⤵PID:3084
-
\??\c:\bbhhtb.exec:\bbhhtb.exe168⤵PID:64
-
\??\c:\3nnnnt.exec:\3nnnnt.exe169⤵PID:4936
-
\??\c:\ppjjj.exec:\ppjjj.exe170⤵PID:2600
-
\??\c:\rfrxlll.exec:\rfrxlll.exe171⤵PID:452
-
\??\c:\hbnnnt.exec:\hbnnnt.exe172⤵PID:2736
-
\??\c:\5hbhbh.exec:\5hbhbh.exe173⤵PID:3052
-
\??\c:\9vppv.exec:\9vppv.exe174⤵PID:1160
-
\??\c:\jvvjj.exec:\jvvjj.exe175⤵PID:4476
-
\??\c:\xlrxrrr.exec:\xlrxrrr.exe176⤵PID:4304
-
\??\c:\ttnnnn.exec:\ttnnnn.exe177⤵PID:3044
-
\??\c:\hnhhhn.exec:\hnhhhn.exe178⤵PID:3428
-
\??\c:\vdppj.exec:\vdppj.exe179⤵PID:4960
-
\??\c:\ffrlxrx.exec:\ffrlxrx.exe180⤵PID:3868
-
\??\c:\rffrfll.exec:\rffrfll.exe181⤵PID:1904
-
\??\c:\bthhhn.exec:\bthhhn.exe182⤵PID:1932
-
\??\c:\9jjvv.exec:\9jjvv.exe183⤵PID:3100
-
\??\c:\1dpjp.exec:\1dpjp.exe184⤵PID:368
-
\??\c:\lrrrxfx.exec:\lrrrxfx.exe185⤵PID:2828
-
\??\c:\7xxrlff.exec:\7xxrlff.exe186⤵PID:348
-
\??\c:\nbhntb.exec:\nbhntb.exe187⤵PID:4744
-
\??\c:\vjjdv.exec:\vjjdv.exe188⤵PID:2656
-
\??\c:\pjvvv.exec:\pjvvv.exe189⤵PID:2692
-
\??\c:\lffxxxr.exec:\lffxxxr.exe190⤵PID:2776
-
\??\c:\rxfllrf.exec:\rxfllrf.exe191⤵PID:2636
-
\??\c:\9hnnnt.exec:\9hnnnt.exe192⤵PID:2120
-
\??\c:\1pjjj.exec:\1pjjj.exe193⤵PID:760
-
\??\c:\1rfrrxf.exec:\1rfrrxf.exe194⤵PID:4220
-
\??\c:\xflllrr.exec:\xflllrr.exe195⤵PID:5044
-
\??\c:\hnbbhb.exec:\hnbbhb.exe196⤵PID:4580
-
\??\c:\bhhbhb.exec:\bhhbhb.exe197⤵PID:3196
-
\??\c:\dvjpd.exec:\dvjpd.exe198⤵PID:2076
-
\??\c:\ddvvj.exec:\ddvvj.exe199⤵PID:1664
-
\??\c:\rxrxfff.exec:\rxrxfff.exe200⤵PID:3872
-
\??\c:\1bnhnn.exec:\1bnhnn.exe201⤵PID:4552
-
\??\c:\thhnnt.exec:\thhnnt.exe202⤵PID:2572
-
\??\c:\pjvvv.exec:\pjvvv.exe203⤵PID:3192
-
\??\c:\5dpvv.exec:\5dpvv.exe204⤵PID:3488
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe205⤵PID:4880
-
\??\c:\btbbbb.exec:\btbbbb.exe206⤵PID:4696
-
\??\c:\5thhnn.exec:\5thhnn.exe207⤵PID:1600
-
\??\c:\vjddd.exec:\vjddd.exe208⤵PID:1676
-
\??\c:\pvvdj.exec:\pvvdj.exe209⤵PID:4760
-
\??\c:\5ffffll.exec:\5ffffll.exe210⤵PID:2544
-
\??\c:\tnbbbb.exec:\tnbbbb.exe211⤵PID:2840
-
\??\c:\9bntbh.exec:\9bntbh.exe212⤵PID:4496
-
\??\c:\vjvvv.exec:\vjvvv.exe213⤵PID:452
-
\??\c:\ppvvp.exec:\ppvvp.exe214⤵PID:2884
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe215⤵PID:1204
-
\??\c:\btnnnt.exec:\btnnnt.exe216⤵PID:4544
-
\??\c:\pjvdv.exec:\pjvdv.exe217⤵PID:4392
-
\??\c:\vvppp.exec:\vvppp.exe218⤵PID:1640
-
\??\c:\fxflllx.exec:\fxflllx.exe219⤵PID:232
-
\??\c:\hhhhhb.exec:\hhhhhb.exe220⤵PID:4044
-
\??\c:\3pddv.exec:\3pddv.exe221⤵PID:2360
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe222⤵PID:4364
-
\??\c:\9rfxxff.exec:\9rfxxff.exe223⤵PID:4308
-
\??\c:\nnbbhn.exec:\nnbbhn.exe224⤵PID:4780
-
\??\c:\pjdvv.exec:\pjdvv.exe225⤵PID:3728
-
\??\c:\xrrlllx.exec:\xrrlllx.exe226⤵PID:3900
-
\??\c:\9frlrrr.exec:\9frlrrr.exe227⤵PID:528
-
\??\c:\hbtbnt.exec:\hbtbnt.exe228⤵PID:440
-
\??\c:\dvjjj.exec:\dvjjj.exe229⤵PID:3712
-
\??\c:\xrfxxxl.exec:\xrfxxxl.exe230⤵PID:5028
-
\??\c:\llfflrr.exec:\llfflrr.exe231⤵PID:692
-
\??\c:\5nttbh.exec:\5nttbh.exe232⤵PID:2636
-
\??\c:\dpddd.exec:\dpddd.exe233⤵PID:3536
-
\??\c:\5xxrrxr.exec:\5xxrrxr.exe234⤵PID:1216
-
\??\c:\1lllffx.exec:\1lllffx.exe235⤵PID:4056
-
\??\c:\tnhbth.exec:\tnhbth.exe236⤵PID:3208
-
\??\c:\vjdpp.exec:\vjdpp.exe237⤵PID:4580
-
\??\c:\lxfllrr.exec:\lxfllrr.exe238⤵PID:3696
-
\??\c:\rlxxxrx.exec:\rlxxxrx.exe239⤵PID:2076
-
\??\c:\bnttnh.exec:\bnttnh.exe240⤵PID:1664
-
\??\c:\pppjv.exec:\pppjv.exe241⤵PID:3872
-
\??\c:\rlxxxff.exec:\rlxxxff.exe242⤵PID:4768