Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:03
Behavioral task
behavioral1
Sample
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe
-
Size
401KB
-
MD5
9f2785a5f1d54ce2076b7abe60ecce80
-
SHA1
fd4de23163219988da79a2f83454358d7644530c
-
SHA256
fa6fef39e618a09d4ba2a432a1cad6be094780948356b9b141060c383bc8b568
-
SHA512
f1f870b8bd820562c5ce8c07a603b6d87d785a1c32c6d2e99d06fc22ef4d545c20aeac13b640ebf6ef8dc05ad913161724dc5fd9fbef54d1c72634ee0cf315c8
-
SSDEEP
6144:kcm4FmowdHoSph3Ymu8wdHoSM05d34iWRbzami32:y4wFHoS3zuxHoSTd34iWRhiG
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3724-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/608-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1660-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3308-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-607-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-662-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-719-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-891-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-953-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-1014-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
lfxlfff.exe2082262.exelfrrrxx.exejjpjj.exedjjpp.exexxlrllf.exevvjjp.exe5lrlfxf.exe4066004.exexrffxxr.exe2882604.exe5pppv.exetnnhbb.exetnbtnh.exe0626222.exelfrrlxr.exe840022.exe02060.exe62486.exe6404226.exe80448.exe82000.exeffxrrrl.exebbhhnh.exe84226.exe0444222.exenhnntt.exebbhhhh.exe7ntnnt.exe6888826.exedpvdd.exeffrrfrr.exebtttnn.exe7lrlffr.exevjvpj.exeu682666.exe88466.exe88004.exeq02262.exe440000.exethbttn.exe48488.exe604464.exe04224.exettbttn.exe44482.exepppjd.exexrrlffx.exek64848.exelfxxrrl.exe4666244.exe2084886.exes2204.exe64800.exe268824.exebbnntb.exefxxfrfl.exebnhbbt.exevvddd.exethttnn.exe64288.exevpjdd.exedjppj.exebhhhbb.exepid process 4736 lfxlfff.exe 2816 2082262.exe 4684 lfrrrxx.exe 5100 jjpjj.exe 1188 djjpp.exe 2924 xxlrllf.exe 4712 vvjjp.exe 4376 5lrlfxf.exe 4708 4066004.exe 2740 xrffxxr.exe 2180 2882604.exe 3308 5pppv.exe 4788 tnnhbb.exe 1660 tnbtnh.exe 5108 0626222.exe 760 lfrrlxr.exe 4060 840022.exe 2232 02060.exe 1820 62486.exe 2436 6404226.exe 4456 80448.exe 1972 82000.exe 608 ffxrrrl.exe 3496 bbhhnh.exe 1640 84226.exe 2752 0444222.exe 2336 nhnntt.exe 1436 bbhhhh.exe 4580 7ntnnt.exe 3564 6888826.exe 644 dpvdd.exe 1204 ffrrfrr.exe 2632 btttnn.exe 4632 7lrlffr.exe 4988 vjvpj.exe 636 u682666.exe 3184 88466.exe 4536 88004.exe 1048 q02262.exe 1772 440000.exe 4272 thbttn.exe 436 48488.exe 3360 604464.exe 4976 04224.exe 3052 ttbttn.exe 468 44482.exe 1948 pppjd.exe 3508 xrrlffx.exe 4188 k64848.exe 4464 lfxxrrl.exe 5004 4666244.exe 4208 2084886.exe 540 s2204.exe 3520 64800.exe 1680 268824.exe 916 bbnntb.exe 3432 fxxfrfl.exe 3024 bnhbbt.exe 4692 vvddd.exe 448 thttnn.exe 3060 64288.exe 4572 vpjdd.exe 5088 djppj.exe 4100 bhhhbb.exe -
Processes:
resource yara_rule behavioral2/memory/3724-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lfxlfff.exe upx behavioral2/memory/3724-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4736-8-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\2082262.exe upx \??\c:\lfrrrxx.exe upx \??\c:\jjpjj.exe upx behavioral2/memory/5100-31-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xxlrllf.exe upx \??\c:\vvjjp.exe upx \??\c:\5lrlfxf.exe upx \??\c:\4066004.exe upx C:\xrffxxr.exe upx \??\c:\2882604.exe upx \??\c:\5pppv.exe upx \??\c:\tnnhbb.exe upx \??\c:\840022.exe upx \??\c:\ffxrrrl.exe upx \??\c:\84226.exe upx \??\c:\nhnntt.exe upx \??\c:\7ntnnt.exe upx \??\c:\dpvdd.exe upx behavioral2/memory/3360-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1948-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5004-254-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4976-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4272-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/540-259-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/636-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4988-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2632-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/644-183-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\ffrrfrr.exe upx behavioral2/memory/4580-172-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\6888826.exe upx \??\c:\bbhhhh.exe upx behavioral2/memory/1640-151-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\0444222.exe upx behavioral2/memory/3496-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/608-139-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bbhhnh.exe upx behavioral2/memory/1972-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4456-127-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\82000.exe upx \??\c:\80448.exe upx behavioral2/memory/1820-116-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\6404226.exe upx \??\c:\62486.exe upx behavioral2/memory/4060-106-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\02060.exe upx behavioral2/memory/760-99-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lfrrlxr.exe upx behavioral2/memory/1660-88-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\0626222.exe upx behavioral2/memory/4788-82-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\tnbtnh.exe upx behavioral2/memory/3308-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2180-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4376-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4712-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1188-30-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\djjpp.exe upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exelfxlfff.exe2082262.exelfrrrxx.exejjpjj.exedjjpp.exexxlrllf.exevvjjp.exe5lrlfxf.exe4066004.exexrffxxr.exe2882604.exe5pppv.exetnnhbb.exetnbtnh.exe0626222.exelfrrlxr.exe840022.exe02060.exe62486.exe6404226.exe80448.exedescription pid process target process PID 3724 wrote to memory of 4736 3724 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe lfxlfff.exe PID 3724 wrote to memory of 4736 3724 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe lfxlfff.exe PID 3724 wrote to memory of 4736 3724 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe lfxlfff.exe PID 4736 wrote to memory of 2816 4736 lfxlfff.exe 2082262.exe PID 4736 wrote to memory of 2816 4736 lfxlfff.exe 2082262.exe PID 4736 wrote to memory of 2816 4736 lfxlfff.exe 2082262.exe PID 2816 wrote to memory of 4684 2816 2082262.exe lfrrrxx.exe PID 2816 wrote to memory of 4684 2816 2082262.exe lfrrrxx.exe PID 2816 wrote to memory of 4684 2816 2082262.exe lfrrrxx.exe PID 4684 wrote to memory of 5100 4684 lfrrrxx.exe jjpjj.exe PID 4684 wrote to memory of 5100 4684 lfrrrxx.exe jjpjj.exe PID 4684 wrote to memory of 5100 4684 lfrrrxx.exe jjpjj.exe PID 5100 wrote to memory of 1188 5100 jjpjj.exe djjpp.exe PID 5100 wrote to memory of 1188 5100 jjpjj.exe djjpp.exe PID 5100 wrote to memory of 1188 5100 jjpjj.exe djjpp.exe PID 1188 wrote to memory of 2924 1188 djjpp.exe xxlrllf.exe PID 1188 wrote to memory of 2924 1188 djjpp.exe xxlrllf.exe PID 1188 wrote to memory of 2924 1188 djjpp.exe xxlrllf.exe PID 2924 wrote to memory of 4712 2924 xxlrllf.exe vvjjp.exe PID 2924 wrote to memory of 4712 2924 xxlrllf.exe vvjjp.exe PID 2924 wrote to memory of 4712 2924 xxlrllf.exe vvjjp.exe PID 4712 wrote to memory of 4376 4712 vvjjp.exe 5lrlfxf.exe PID 4712 wrote to memory of 4376 4712 vvjjp.exe 5lrlfxf.exe PID 4712 wrote to memory of 4376 4712 vvjjp.exe 5lrlfxf.exe PID 4376 wrote to memory of 4708 4376 5lrlfxf.exe 4066004.exe PID 4376 wrote to memory of 4708 4376 5lrlfxf.exe 4066004.exe PID 4376 wrote to memory of 4708 4376 5lrlfxf.exe 4066004.exe PID 4708 wrote to memory of 2740 4708 4066004.exe xrffxxr.exe PID 4708 wrote to memory of 2740 4708 4066004.exe xrffxxr.exe PID 4708 wrote to memory of 2740 4708 4066004.exe xrffxxr.exe PID 2740 wrote to memory of 2180 2740 xrffxxr.exe 2882604.exe PID 2740 wrote to memory of 2180 2740 xrffxxr.exe 2882604.exe PID 2740 wrote to memory of 2180 2740 xrffxxr.exe 2882604.exe PID 2180 wrote to memory of 3308 2180 2882604.exe 5pppv.exe PID 2180 wrote to memory of 3308 2180 2882604.exe 5pppv.exe PID 2180 wrote to memory of 3308 2180 2882604.exe 5pppv.exe PID 3308 wrote to memory of 4788 3308 5pppv.exe tnnhbb.exe PID 3308 wrote to memory of 4788 3308 5pppv.exe tnnhbb.exe PID 3308 wrote to memory of 4788 3308 5pppv.exe tnnhbb.exe PID 4788 wrote to memory of 1660 4788 tnnhbb.exe tnbtnh.exe PID 4788 wrote to memory of 1660 4788 tnnhbb.exe tnbtnh.exe PID 4788 wrote to memory of 1660 4788 tnnhbb.exe tnbtnh.exe PID 1660 wrote to memory of 5108 1660 tnbtnh.exe 0626222.exe PID 1660 wrote to memory of 5108 1660 tnbtnh.exe 0626222.exe PID 1660 wrote to memory of 5108 1660 tnbtnh.exe 0626222.exe PID 5108 wrote to memory of 760 5108 0626222.exe lfrrlxr.exe PID 5108 wrote to memory of 760 5108 0626222.exe lfrrlxr.exe PID 5108 wrote to memory of 760 5108 0626222.exe lfrrlxr.exe PID 760 wrote to memory of 4060 760 lfrrlxr.exe 840022.exe PID 760 wrote to memory of 4060 760 lfrrlxr.exe 840022.exe PID 760 wrote to memory of 4060 760 lfrrlxr.exe 840022.exe PID 4060 wrote to memory of 2232 4060 840022.exe 02060.exe PID 4060 wrote to memory of 2232 4060 840022.exe 02060.exe PID 4060 wrote to memory of 2232 4060 840022.exe 02060.exe PID 2232 wrote to memory of 1820 2232 02060.exe 62486.exe PID 2232 wrote to memory of 1820 2232 02060.exe 62486.exe PID 2232 wrote to memory of 1820 2232 02060.exe 62486.exe PID 1820 wrote to memory of 2436 1820 62486.exe 6404226.exe PID 1820 wrote to memory of 2436 1820 62486.exe 6404226.exe PID 1820 wrote to memory of 2436 1820 62486.exe 6404226.exe PID 2436 wrote to memory of 4456 2436 6404226.exe 80448.exe PID 2436 wrote to memory of 4456 2436 6404226.exe 80448.exe PID 2436 wrote to memory of 4456 2436 6404226.exe 80448.exe PID 4456 wrote to memory of 1972 4456 80448.exe 26664.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\lfxlfff.exec:\lfxlfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\2082262.exec:\2082262.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\jjpjj.exec:\jjpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\djjpp.exec:\djjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\xxlrllf.exec:\xxlrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\vvjjp.exec:\vvjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\5lrlfxf.exec:\5lrlfxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\4066004.exec:\4066004.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\xrffxxr.exec:\xrffxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\2882604.exec:\2882604.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\5pppv.exec:\5pppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\tnnhbb.exec:\tnnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\tnbtnh.exec:\tnbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\0626222.exec:\0626222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\lfrrlxr.exec:\lfrrlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\840022.exec:\840022.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\02060.exec:\02060.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\62486.exec:\62486.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\6404226.exec:\6404226.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\80448.exec:\80448.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\82000.exec:\82000.exe23⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ffxrrrl.exec:\ffxrrrl.exe24⤵
- Executes dropped EXE
PID:608 -
\??\c:\bbhhnh.exec:\bbhhnh.exe25⤵
- Executes dropped EXE
PID:3496 -
\??\c:\84226.exec:\84226.exe26⤵
- Executes dropped EXE
PID:1640 -
\??\c:\0444222.exec:\0444222.exe27⤵
- Executes dropped EXE
PID:2752 -
\??\c:\nhnntt.exec:\nhnntt.exe28⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bbhhhh.exec:\bbhhhh.exe29⤵
- Executes dropped EXE
PID:1436 -
\??\c:\7ntnnt.exec:\7ntnnt.exe30⤵
- Executes dropped EXE
PID:4580 -
\??\c:\6888826.exec:\6888826.exe31⤵
- Executes dropped EXE
PID:3564 -
\??\c:\dpvdd.exec:\dpvdd.exe32⤵
- Executes dropped EXE
PID:644 -
\??\c:\ffrrfrr.exec:\ffrrfrr.exe33⤵
- Executes dropped EXE
PID:1204 -
\??\c:\btttnn.exec:\btttnn.exe34⤵
- Executes dropped EXE
PID:2632 -
\??\c:\7lrlffr.exec:\7lrlffr.exe35⤵
- Executes dropped EXE
PID:4632 -
\??\c:\vjvpj.exec:\vjvpj.exe36⤵
- Executes dropped EXE
PID:4988 -
\??\c:\u682666.exec:\u682666.exe37⤵
- Executes dropped EXE
PID:636 -
\??\c:\88466.exec:\88466.exe38⤵
- Executes dropped EXE
PID:3184 -
\??\c:\88004.exec:\88004.exe39⤵
- Executes dropped EXE
PID:4536 -
\??\c:\q02262.exec:\q02262.exe40⤵
- Executes dropped EXE
PID:1048 -
\??\c:\440000.exec:\440000.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\thbttn.exec:\thbttn.exe42⤵
- Executes dropped EXE
PID:4272 -
\??\c:\48488.exec:\48488.exe43⤵
- Executes dropped EXE
PID:436 -
\??\c:\604464.exec:\604464.exe44⤵
- Executes dropped EXE
PID:3360 -
\??\c:\04224.exec:\04224.exe45⤵
- Executes dropped EXE
PID:4976 -
\??\c:\ttbttn.exec:\ttbttn.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\44482.exec:\44482.exe47⤵
- Executes dropped EXE
PID:468 -
\??\c:\pppjd.exec:\pppjd.exe48⤵
- Executes dropped EXE
PID:1948 -
\??\c:\xrrlffx.exec:\xrrlffx.exe49⤵
- Executes dropped EXE
PID:3508 -
\??\c:\k64848.exec:\k64848.exe50⤵
- Executes dropped EXE
PID:4188 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe51⤵
- Executes dropped EXE
PID:4464 -
\??\c:\4666244.exec:\4666244.exe52⤵
- Executes dropped EXE
PID:5004 -
\??\c:\2084886.exec:\2084886.exe53⤵
- Executes dropped EXE
PID:4208 -
\??\c:\s2204.exec:\s2204.exe54⤵
- Executes dropped EXE
PID:540 -
\??\c:\64800.exec:\64800.exe55⤵
- Executes dropped EXE
PID:3520 -
\??\c:\268824.exec:\268824.exe56⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bbnntb.exec:\bbnntb.exe57⤵
- Executes dropped EXE
PID:916 -
\??\c:\fxxfrfl.exec:\fxxfrfl.exe58⤵
- Executes dropped EXE
PID:3432 -
\??\c:\bnhbbt.exec:\bnhbbt.exe59⤵
- Executes dropped EXE
PID:3024 -
\??\c:\vvddd.exec:\vvddd.exe60⤵
- Executes dropped EXE
PID:4692 -
\??\c:\thttnn.exec:\thttnn.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\64288.exec:\64288.exe62⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vpjdd.exec:\vpjdd.exe63⤵
- Executes dropped EXE
PID:4572 -
\??\c:\djppj.exec:\djppj.exe64⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bhhhbb.exec:\bhhhbb.exe65⤵
- Executes dropped EXE
PID:4100 -
\??\c:\824844.exec:\824844.exe66⤵PID:5104
-
\??\c:\0244488.exec:\0244488.exe67⤵PID:2236
-
\??\c:\xxfxffx.exec:\xxfxffx.exe68⤵PID:3544
-
\??\c:\hhhnnt.exec:\hhhnnt.exe69⤵PID:4452
-
\??\c:\084826.exec:\084826.exe70⤵PID:3964
-
\??\c:\rlrxrrr.exec:\rlrxrrr.exe71⤵PID:1644
-
\??\c:\c060882.exec:\c060882.exe72⤵PID:4064
-
\??\c:\26664.exec:\26664.exe73⤵PID:1972
-
\??\c:\4222602.exec:\4222602.exe74⤵PID:4728
-
\??\c:\206480.exec:\206480.exe75⤵PID:4292
-
\??\c:\606604.exec:\606604.exe76⤵PID:1396
-
\??\c:\8226026.exec:\8226026.exe77⤵PID:4428
-
\??\c:\dppjv.exec:\dppjv.exe78⤵PID:1700
-
\??\c:\9tnhbb.exec:\9tnhbb.exe79⤵PID:1792
-
\??\c:\w24822.exec:\w24822.exe80⤵PID:4580
-
\??\c:\bhtbnh.exec:\bhtbnh.exe81⤵PID:4128
-
\??\c:\426266.exec:\426266.exe82⤵PID:3004
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe83⤵PID:648
-
\??\c:\hbhhnt.exec:\hbhhnt.exe84⤵PID:1440
-
\??\c:\480000.exec:\480000.exe85⤵PID:3984
-
\??\c:\hntthh.exec:\hntthh.exe86⤵PID:3264
-
\??\c:\jvvdv.exec:\jvvdv.exe87⤵PID:4112
-
\??\c:\ttntnh.exec:\ttntnh.exe88⤵PID:4652
-
\??\c:\hbnbhh.exec:\hbnbhh.exe89⤵PID:1072
-
\??\c:\3bbthn.exec:\3bbthn.exe90⤵PID:4272
-
\??\c:\440488.exec:\440488.exe91⤵PID:1940
-
\??\c:\hbnbnn.exec:\hbnbnn.exe92⤵PID:1052
-
\??\c:\808866.exec:\808866.exe93⤵PID:5060
-
\??\c:\84622.exec:\84622.exe94⤵PID:3152
-
\??\c:\bnhbnn.exec:\bnhbnn.exe95⤵PID:4220
-
\??\c:\tnnhbb.exec:\tnnhbb.exe96⤵PID:1592
-
\??\c:\fllrlrr.exec:\fllrlrr.exe97⤵PID:4468
-
\??\c:\xxrxrxf.exec:\xxrxrxf.exe98⤵PID:2276
-
\??\c:\c626088.exec:\c626088.exe99⤵PID:5080
-
\??\c:\4802686.exec:\4802686.exe100⤵PID:4188
-
\??\c:\2082600.exec:\2082600.exe101⤵PID:2036
-
\??\c:\q64482.exec:\q64482.exe102⤵PID:3724
-
\??\c:\5ddvv.exec:\5ddvv.exe103⤵PID:4736
-
\??\c:\w84826.exec:\w84826.exe104⤵PID:1724
-
\??\c:\u420444.exec:\u420444.exe105⤵PID:3756
-
\??\c:\826082.exec:\826082.exe106⤵PID:1904
-
\??\c:\600004.exec:\600004.exe107⤵PID:4084
-
\??\c:\5vdvj.exec:\5vdvj.exe108⤵PID:3176
-
\??\c:\xffxrrl.exec:\xffxrrl.exe109⤵PID:4716
-
\??\c:\nhnhbt.exec:\nhnhbt.exe110⤵PID:4712
-
\??\c:\8806004.exec:\8806004.exe111⤵PID:1056
-
\??\c:\9rxffff.exec:\9rxffff.exe112⤵PID:1256
-
\??\c:\2466048.exec:\2466048.exe113⤵PID:780
-
\??\c:\w06048.exec:\w06048.exe114⤵PID:3716
-
\??\c:\20644.exec:\20644.exe115⤵PID:3960
-
\??\c:\nbtthh.exec:\nbtthh.exe116⤵PID:5084
-
\??\c:\u404260.exec:\u404260.exe117⤵PID:1060
-
\??\c:\pdvvd.exec:\pdvvd.exe118⤵PID:4748
-
\??\c:\xllfxrl.exec:\xllfxrl.exe119⤵PID:1368
-
\??\c:\3lffxrr.exec:\3lffxrr.exe120⤵PID:4620
-
\??\c:\84226.exec:\84226.exe121⤵PID:4628
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe122⤵PID:4268
-
\??\c:\0220800.exec:\0220800.exe123⤵PID:4460
-
\??\c:\488642.exec:\488642.exe124⤵PID:608
-
\??\c:\488284.exec:\488284.exe125⤵PID:1064
-
\??\c:\c242600.exec:\c242600.exe126⤵PID:2972
-
\??\c:\024482.exec:\024482.exe127⤵PID:1856
-
\??\c:\hnbttt.exec:\hnbttt.exe128⤵PID:1184
-
\??\c:\5rrrllf.exec:\5rrrllf.exe129⤵PID:1436
-
\??\c:\o442222.exec:\o442222.exe130⤵PID:1324
-
\??\c:\jpdpd.exec:\jpdpd.exe131⤵PID:3564
-
\??\c:\8444488.exec:\8444488.exe132⤵PID:2080
-
\??\c:\4846260.exec:\4846260.exe133⤵PID:4880
-
\??\c:\nhtnnt.exec:\nhtnnt.exe134⤵PID:2472
-
\??\c:\284488.exec:\284488.exe135⤵PID:836
-
\??\c:\2066444.exec:\2066444.exe136⤵PID:5112
-
\??\c:\pvjdd.exec:\pvjdd.exe137⤵PID:3184
-
\??\c:\rlxrllf.exec:\rlxrllf.exe138⤵PID:4640
-
\??\c:\40086.exec:\40086.exe139⤵PID:2968
-
\??\c:\8444488.exec:\8444488.exe140⤵PID:1072
-
\??\c:\646608.exec:\646608.exe141⤵PID:4272
-
\??\c:\ppdvv.exec:\ppdvv.exe142⤵PID:3316
-
\??\c:\1xfxrfx.exec:\1xfxrfx.exe143⤵PID:1052
-
\??\c:\2688282.exec:\2688282.exe144⤵PID:840
-
\??\c:\6866604.exec:\6866604.exe145⤵PID:3812
-
\??\c:\6426442.exec:\6426442.exe146⤵PID:3380
-
\??\c:\62884.exec:\62884.exe147⤵PID:1592
-
\??\c:\4444222.exec:\4444222.exe148⤵PID:3244
-
\??\c:\484260.exec:\484260.exe149⤵PID:2276
-
\??\c:\rrrllfx.exec:\rrrllfx.exe150⤵PID:2272
-
\??\c:\66484.exec:\66484.exe151⤵PID:4012
-
\??\c:\tttnhh.exec:\tttnhh.exe152⤵PID:2036
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe153⤵PID:4704
-
\??\c:\ppdvd.exec:\ppdvd.exe154⤵PID:3192
-
\??\c:\6084662.exec:\6084662.exe155⤵PID:3688
-
\??\c:\m2642.exec:\m2642.exe156⤵PID:540
-
\??\c:\1hnnhh.exec:\1hnnhh.exe157⤵PID:3300
-
\??\c:\400484.exec:\400484.exe158⤵PID:1484
-
\??\c:\2666602.exec:\2666602.exe159⤵PID:4396
-
\??\c:\0260404.exec:\0260404.exe160⤵PID:4992
-
\??\c:\frfrxlr.exec:\frfrxlr.exe161⤵PID:2748
-
\??\c:\3tnhhh.exec:\3tnhhh.exe162⤵PID:4708
-
\??\c:\468862.exec:\468862.exe163⤵PID:3536
-
\??\c:\ttbttt.exec:\ttbttt.exe164⤵PID:736
-
\??\c:\0844888.exec:\0844888.exe165⤵PID:4888
-
\??\c:\tnnhhh.exec:\tnnhhh.exe166⤵PID:780
-
\??\c:\4060448.exec:\4060448.exe167⤵PID:3960
-
\??\c:\4688046.exec:\4688046.exe168⤵PID:5032
-
\??\c:\btnhbt.exec:\btnhbt.exe169⤵PID:3544
-
\??\c:\lrxrffx.exec:\lrxrffx.exe170⤵PID:2320
-
\??\c:\020622.exec:\020622.exe171⤵PID:768
-
\??\c:\0226448.exec:\0226448.exe172⤵PID:2412
-
\??\c:\dpvvd.exec:\dpvvd.exe173⤵PID:4328
-
\??\c:\tnnhnh.exec:\tnnhnh.exe174⤵PID:4064
-
\??\c:\6682226.exec:\6682226.exe175⤵PID:1972
-
\??\c:\0066004.exec:\0066004.exe176⤵PID:1428
-
\??\c:\02826.exec:\02826.exe177⤵PID:4292
-
\??\c:\vdjjd.exec:\vdjjd.exe178⤵PID:4428
-
\??\c:\40660.exec:\40660.exe179⤵PID:3624
-
\??\c:\44860.exec:\44860.exe180⤵PID:3676
-
\??\c:\46006.exec:\46006.exe181⤵PID:3580
-
\??\c:\06208.exec:\06208.exe182⤵PID:4648
-
\??\c:\88882.exec:\88882.exe183⤵PID:4732
-
\??\c:\hhhbtt.exec:\hhhbtt.exe184⤵PID:3004
-
\??\c:\bbtnhb.exec:\bbtnhb.exe185⤵PID:2640
-
\??\c:\flrlffx.exec:\flrlffx.exe186⤵PID:636
-
\??\c:\djppj.exec:\djppj.exe187⤵PID:4724
-
\??\c:\42202.exec:\42202.exe188⤵PID:4112
-
\??\c:\rffrlff.exec:\rffrlff.exe189⤵PID:4652
-
\??\c:\8466444.exec:\8466444.exe190⤵PID:5000
-
\??\c:\606666.exec:\606666.exe191⤵PID:2192
-
\??\c:\jjvvp.exec:\jjvvp.exe192⤵PID:4020
-
\??\c:\06660.exec:\06660.exe193⤵PID:4052
-
\??\c:\628866.exec:\628866.exe194⤵PID:1052
-
\??\c:\jpjdv.exec:\jpjdv.exe195⤵PID:840
-
\??\c:\402222.exec:\402222.exe196⤵PID:1264
-
\??\c:\jjpjv.exec:\jjpjv.exe197⤵PID:1948
-
\??\c:\htthbt.exec:\htthbt.exe198⤵PID:4380
-
\??\c:\48448.exec:\48448.exe199⤵PID:2700
-
\??\c:\w84204.exec:\w84204.exe200⤵PID:2272
-
\??\c:\5djjd.exec:\5djjd.exe201⤵PID:1240
-
\??\c:\jdjdv.exec:\jdjdv.exe202⤵PID:4032
-
\??\c:\4628226.exec:\4628226.exe203⤵PID:2440
-
\??\c:\tnbbbb.exec:\tnbbbb.exe204⤵PID:540
-
\??\c:\djppj.exec:\djppj.exe205⤵PID:1584
-
\??\c:\u460662.exec:\u460662.exe206⤵PID:3572
-
\??\c:\jvvvp.exec:\jvvvp.exe207⤵PID:4348
-
\??\c:\hhttbb.exec:\hhttbb.exe208⤵PID:3760
-
\??\c:\5ttnbn.exec:\5ttnbn.exe209⤵PID:1056
-
\??\c:\7nbtnn.exec:\7nbtnn.exe210⤵PID:3716
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe211⤵PID:5108
-
\??\c:\8806448.exec:\8806448.exe212⤵PID:5084
-
\??\c:\8226626.exec:\8226626.exe213⤵PID:1060
-
\??\c:\jdjvj.exec:\jdjvj.exe214⤵PID:3544
-
\??\c:\jpppj.exec:\jpppj.exe215⤵PID:2320
-
\??\c:\vdvpd.exec:\vdvpd.exe216⤵PID:768
-
\??\c:\7djdv.exec:\7djdv.exe217⤵PID:2412
-
\??\c:\226624.exec:\226624.exe218⤵PID:4136
-
\??\c:\402822.exec:\402822.exe219⤵PID:404
-
\??\c:\tbhbnn.exec:\tbhbnn.exe220⤵PID:4520
-
\??\c:\084844.exec:\084844.exe221⤵PID:1428
-
\??\c:\tnhntb.exec:\tnhntb.exe222⤵PID:4292
-
\??\c:\e00422.exec:\e00422.exe223⤵PID:524
-
\??\c:\048488.exec:\048488.exe224⤵PID:4580
-
\??\c:\26626.exec:\26626.exe225⤵PID:1100
-
\??\c:\880600.exec:\880600.exe226⤵PID:3580
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe227⤵PID:1480
-
\??\c:\40666.exec:\40666.exe228⤵PID:4880
-
\??\c:\0882604.exec:\0882604.exe229⤵PID:1440
-
\??\c:\8860662.exec:\8860662.exe230⤵PID:3984
-
\??\c:\60604.exec:\60604.exe231⤵PID:5112
-
\??\c:\tbhhbt.exec:\tbhhbt.exe232⤵PID:1956
-
\??\c:\260682.exec:\260682.exe233⤵PID:4112
-
\??\c:\vjdvp.exec:\vjdvp.exe234⤵PID:4652
-
\??\c:\006482.exec:\006482.exe235⤵PID:436
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe236⤵PID:1072
-
\??\c:\ppjdv.exec:\ppjdv.exe237⤵PID:1256
-
\??\c:\268484.exec:\268484.exe238⤵PID:4948
-
\??\c:\pdpjv.exec:\pdpjv.exe239⤵PID:3552
-
\??\c:\vdjvp.exec:\vdjvp.exe240⤵PID:3812
-
\??\c:\rllxrlf.exec:\rllxrlf.exe241⤵PID:4656
-
\??\c:\486404.exec:\486404.exe242⤵PID:3244