Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:05
Behavioral task
behavioral1
Sample
9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe
-
Size
80KB
-
MD5
9f9f75569cf59abd5de3175a12352680
-
SHA1
5a9a8defa6f7f08b4836a1b79db17a9c98cb9af5
-
SHA256
6d7e0ac80f64c846d209d1e6594f6c3c2dd901f96f9a99fda5fd03cb20756596
-
SHA512
68704fdc1452e0f44c44c2e931d3adeb209a018fe9ff167f8ad62ce6df372901476a3f61c70ae631d41fcc27ca0b0c532f49b7bc94e6ff61190387cebfe4f6bf
-
SSDEEP
1536:zvQBeOGtrYS3srx93UBWfwC6Ggnouy8iT4+C2HVM1p6TVqMJ89w:zhOmTsF93UYfwC6GIoutiTU2HVS6cMJN
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/8-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/852-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1940-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/800-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3572-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3388-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-717-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-734-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-815-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/956-839-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xlffxxr.exebbnbbb.exejjvvv.exerfrrlxx.exettbbbb.exe1jjpj.exedvvjj.exeffrrffr.exetntttt.exe7pjjp.exejjdvp.exellffrrf.exehhthht.exenbnnhh.exe5pjjd.exe9dddd.exexrllfff.exetbhbnb.exevvvpp.exexrflfrf.exelxlllll.exebhhhbh.exedjpdj.exelllllrr.exexlrrrrr.exehnbbtt.exetnnnhh.exejvddd.exe7xllfrx.exetnnnhh.exehhnntt.exe3frrrrr.exerlrxxfl.exenbtnnt.exehnttnb.exeppvvv.exelrffxfl.exelxflrrf.exethnnhn.exenhttnn.exeddddd.exepdpvp.exefrrlfff.exexrfffff.exenthnbh.exetbbnnn.exedjppp.exevjjjd.exelxxxrlr.exexflllxx.exentbbtn.exeddppp.exejjjjv.exeppjpd.exe1pvdv.exe3jjdd.exerllrxll.exexrxlfff.exennhntt.exenbtbbh.exevpvvp.exelxlllff.exelflfffx.exenntttt.exepid process 3468 xlffxxr.exe 2724 bbnbbb.exe 3972 jjvvv.exe 216 rfrrlxx.exe 1724 ttbbbb.exe 1608 1jjpj.exe 1644 dvvjj.exe 1476 ffrrffr.exe 2604 tntttt.exe 852 7pjjp.exe 2152 jjdvp.exe 1900 llffrrf.exe 4404 hhthht.exe 1940 nbnnhh.exe 4140 5pjjd.exe 4144 9dddd.exe 2288 xrllfff.exe 552 tbhbnb.exe 1796 vvvpp.exe 1348 xrflfrf.exe 2504 lxlllll.exe 1860 bhhhbh.exe 2708 djpdj.exe 4928 lllllrr.exe 1056 xlrrrrr.exe 4812 hnbbtt.exe 1904 tnnnhh.exe 2616 jvddd.exe 3268 7xllfrx.exe 4964 tnnnhh.exe 844 hhnntt.exe 3036 3frrrrr.exe 3880 rlrxxfl.exe 4684 nbtnnt.exe 3704 hnttnb.exe 800 ppvvv.exe 3612 lrffxfl.exe 4620 lxflrrf.exe 3304 thnnhn.exe 3084 nhttnn.exe 4840 ddddd.exe 2832 pdpvp.exe 5096 frrlfff.exe 5036 xrfffff.exe 4336 nthnbh.exe 5040 tbbnnn.exe 4036 djppp.exe 1656 vjjjd.exe 768 lxxxrlr.exe 3572 xflllxx.exe 4124 ntbbtn.exe 2192 ddppp.exe 1724 jjjjv.exe 4264 ppjpd.exe 2380 1pvdv.exe 1016 3jjdd.exe 1476 rllrxll.exe 4272 xrxlfff.exe 2604 nnhntt.exe 4776 nbtbbh.exe 4576 vpvvp.exe 2696 lxlllff.exe 1560 lflfffx.exe 1988 nntttt.exe -
Processes:
resource yara_rule behavioral2/memory/8-0-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xlffxxr.exe upx behavioral2/memory/8-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3468-6-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bbnbbb.exe upx C:\jjvvv.exe upx behavioral2/memory/3972-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2724-12-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rfrrlxx.exe upx behavioral2/memory/216-24-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ttbbbb.exe upx \??\c:\1jjpj.exe upx behavioral2/memory/1608-30-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvvjj.exe upx behavioral2/memory/1608-35-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ffrrffr.exe upx behavioral2/memory/1644-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-41-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tntttt.exe upx C:\7pjjp.exe upx behavioral2/memory/2604-50-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjdvp.exe upx behavioral2/memory/852-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2152-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\llffrrf.exe upx behavioral2/memory/2152-61-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hhthht.exe upx behavioral2/memory/1900-66-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nbnnhh.exe upx C:\5pjjd.exe upx behavioral2/memory/1940-74-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\9dddd.exe upx behavioral2/memory/4144-81-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xrllfff.exe upx C:\tbhbnb.exe upx behavioral2/memory/2288-88-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vvvpp.exe upx \??\c:\xrflfrf.exe upx C:\lxlllll.exe upx C:\bhhhbh.exe upx behavioral2/memory/2504-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-110-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\djpdj.exe upx C:\lllllrr.exe upx behavioral2/memory/2708-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-118-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlrrrrr.exe upx C:\hnbbtt.exe upx behavioral2/memory/4812-128-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tnnnhh.exe upx behavioral2/memory/1056-123-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jvddd.exe upx behavioral2/memory/1904-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2616-137-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7xllfrx.exe upx behavioral2/memory/2616-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3268-146-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tnnnhh.exe upx behavioral2/memory/4964-147-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hhnntt.exe upx C:\3frrrrr.exe upx behavioral2/memory/3036-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3880-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4684-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exexlffxxr.exebbnbbb.exejjvvv.exerfrrlxx.exettbbbb.exe1jjpj.exedvvjj.exeffrrffr.exetntttt.exe7pjjp.exejjdvp.exellffrrf.exehhthht.exenbnnhh.exe5pjjd.exe9dddd.exexrllfff.exetbhbnb.exevvvpp.exexrflfrf.exelxlllll.exedescription pid process target process PID 8 wrote to memory of 3468 8 9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe xlffxxr.exe PID 8 wrote to memory of 3468 8 9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe xlffxxr.exe PID 8 wrote to memory of 3468 8 9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe xlffxxr.exe PID 3468 wrote to memory of 2724 3468 xlffxxr.exe bbnbbb.exe PID 3468 wrote to memory of 2724 3468 xlffxxr.exe bbnbbb.exe PID 3468 wrote to memory of 2724 3468 xlffxxr.exe bbnbbb.exe PID 2724 wrote to memory of 3972 2724 bbnbbb.exe jjvvv.exe PID 2724 wrote to memory of 3972 2724 bbnbbb.exe jjvvv.exe PID 2724 wrote to memory of 3972 2724 bbnbbb.exe jjvvv.exe PID 3972 wrote to memory of 216 3972 jjvvv.exe rfrrlxx.exe PID 3972 wrote to memory of 216 3972 jjvvv.exe rfrrlxx.exe PID 3972 wrote to memory of 216 3972 jjvvv.exe rfrrlxx.exe PID 216 wrote to memory of 1724 216 rfrrlxx.exe ttbbbb.exe PID 216 wrote to memory of 1724 216 rfrrlxx.exe ttbbbb.exe PID 216 wrote to memory of 1724 216 rfrrlxx.exe ttbbbb.exe PID 1724 wrote to memory of 1608 1724 ttbbbb.exe 1jjpj.exe PID 1724 wrote to memory of 1608 1724 ttbbbb.exe 1jjpj.exe PID 1724 wrote to memory of 1608 1724 ttbbbb.exe 1jjpj.exe PID 1608 wrote to memory of 1644 1608 1jjpj.exe dvvjj.exe PID 1608 wrote to memory of 1644 1608 1jjpj.exe dvvjj.exe PID 1608 wrote to memory of 1644 1608 1jjpj.exe dvvjj.exe PID 1644 wrote to memory of 1476 1644 dvvjj.exe ffrrffr.exe PID 1644 wrote to memory of 1476 1644 dvvjj.exe ffrrffr.exe PID 1644 wrote to memory of 1476 1644 dvvjj.exe ffrrffr.exe PID 1476 wrote to memory of 2604 1476 ffrrffr.exe tntttt.exe PID 1476 wrote to memory of 2604 1476 ffrrffr.exe tntttt.exe PID 1476 wrote to memory of 2604 1476 ffrrffr.exe tntttt.exe PID 2604 wrote to memory of 852 2604 tntttt.exe 7pjjp.exe PID 2604 wrote to memory of 852 2604 tntttt.exe 7pjjp.exe PID 2604 wrote to memory of 852 2604 tntttt.exe 7pjjp.exe PID 852 wrote to memory of 2152 852 7pjjp.exe jjdvp.exe PID 852 wrote to memory of 2152 852 7pjjp.exe jjdvp.exe PID 852 wrote to memory of 2152 852 7pjjp.exe jjdvp.exe PID 2152 wrote to memory of 1900 2152 jjdvp.exe llffrrf.exe PID 2152 wrote to memory of 1900 2152 jjdvp.exe llffrrf.exe PID 2152 wrote to memory of 1900 2152 jjdvp.exe llffrrf.exe PID 1900 wrote to memory of 4404 1900 llffrrf.exe hhthht.exe PID 1900 wrote to memory of 4404 1900 llffrrf.exe hhthht.exe PID 1900 wrote to memory of 4404 1900 llffrrf.exe hhthht.exe PID 4404 wrote to memory of 1940 4404 hhthht.exe nbnnhh.exe PID 4404 wrote to memory of 1940 4404 hhthht.exe nbnnhh.exe PID 4404 wrote to memory of 1940 4404 hhthht.exe nbnnhh.exe PID 1940 wrote to memory of 4140 1940 nbnnhh.exe 5pjjd.exe PID 1940 wrote to memory of 4140 1940 nbnnhh.exe 5pjjd.exe PID 1940 wrote to memory of 4140 1940 nbnnhh.exe 5pjjd.exe PID 4140 wrote to memory of 4144 4140 5pjjd.exe 9dddd.exe PID 4140 wrote to memory of 4144 4140 5pjjd.exe 9dddd.exe PID 4140 wrote to memory of 4144 4140 5pjjd.exe 9dddd.exe PID 4144 wrote to memory of 2288 4144 9dddd.exe xrllfff.exe PID 4144 wrote to memory of 2288 4144 9dddd.exe xrllfff.exe PID 4144 wrote to memory of 2288 4144 9dddd.exe xrllfff.exe PID 2288 wrote to memory of 552 2288 xrllfff.exe tbhbnb.exe PID 2288 wrote to memory of 552 2288 xrllfff.exe tbhbnb.exe PID 2288 wrote to memory of 552 2288 xrllfff.exe tbhbnb.exe PID 552 wrote to memory of 1796 552 tbhbnb.exe vvvpp.exe PID 552 wrote to memory of 1796 552 tbhbnb.exe vvvpp.exe PID 552 wrote to memory of 1796 552 tbhbnb.exe vvvpp.exe PID 1796 wrote to memory of 1348 1796 vvvpp.exe xrflfrf.exe PID 1796 wrote to memory of 1348 1796 vvvpp.exe xrflfrf.exe PID 1796 wrote to memory of 1348 1796 vvvpp.exe xrflfrf.exe PID 1348 wrote to memory of 2504 1348 xrflfrf.exe lxlllll.exe PID 1348 wrote to memory of 2504 1348 xrflfrf.exe lxlllll.exe PID 1348 wrote to memory of 2504 1348 xrflfrf.exe lxlllll.exe PID 2504 wrote to memory of 1860 2504 lxlllll.exe bhhhbh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9f9f75569cf59abd5de3175a12352680_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\xlffxxr.exec:\xlffxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\bbnbbb.exec:\bbnbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\jjvvv.exec:\jjvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\rfrrlxx.exec:\rfrrlxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\ttbbbb.exec:\ttbbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\1jjpj.exec:\1jjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\dvvjj.exec:\dvvjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\ffrrffr.exec:\ffrrffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\tntttt.exec:\tntttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\7pjjp.exec:\7pjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\jjdvp.exec:\jjdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\llffrrf.exec:\llffrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\hhthht.exec:\hhthht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\nbnnhh.exec:\nbnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\5pjjd.exec:\5pjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\9dddd.exec:\9dddd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\xrllfff.exec:\xrllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\tbhbnb.exec:\tbhbnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\vvvpp.exec:\vvvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xrflfrf.exec:\xrflfrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\lxlllll.exec:\lxlllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\bhhhbh.exec:\bhhhbh.exe23⤵
- Executes dropped EXE
PID:1860 -
\??\c:\djpdj.exec:\djpdj.exe24⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lllllrr.exec:\lllllrr.exe25⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe26⤵
- Executes dropped EXE
PID:1056 -
\??\c:\hnbbtt.exec:\hnbbtt.exe27⤵
- Executes dropped EXE
PID:4812 -
\??\c:\tnnnhh.exec:\tnnnhh.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jvddd.exec:\jvddd.exe29⤵
- Executes dropped EXE
PID:2616 -
\??\c:\7xllfrx.exec:\7xllfrx.exe30⤵
- Executes dropped EXE
PID:3268 -
\??\c:\tnnnhh.exec:\tnnnhh.exe31⤵
- Executes dropped EXE
PID:4964 -
\??\c:\hhnntt.exec:\hhnntt.exe32⤵
- Executes dropped EXE
PID:844 -
\??\c:\3frrrrr.exec:\3frrrrr.exe33⤵
- Executes dropped EXE
PID:3036 -
\??\c:\rlrxxfl.exec:\rlrxxfl.exe34⤵
- Executes dropped EXE
PID:3880 -
\??\c:\nbtnnt.exec:\nbtnnt.exe35⤵
- Executes dropped EXE
PID:4684 -
\??\c:\hnttnb.exec:\hnttnb.exe36⤵
- Executes dropped EXE
PID:3704 -
\??\c:\ppvvv.exec:\ppvvv.exe37⤵
- Executes dropped EXE
PID:800 -
\??\c:\lrffxfl.exec:\lrffxfl.exe38⤵
- Executes dropped EXE
PID:3612 -
\??\c:\lxflrrf.exec:\lxflrrf.exe39⤵
- Executes dropped EXE
PID:4620 -
\??\c:\thnnhn.exec:\thnnhn.exe40⤵
- Executes dropped EXE
PID:3304 -
\??\c:\nhttnn.exec:\nhttnn.exe41⤵
- Executes dropped EXE
PID:3084 -
\??\c:\ddddd.exec:\ddddd.exe42⤵
- Executes dropped EXE
PID:4840 -
\??\c:\pdpvp.exec:\pdpvp.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\frrlfff.exec:\frrlfff.exe44⤵
- Executes dropped EXE
PID:5096 -
\??\c:\xrfffff.exec:\xrfffff.exe45⤵
- Executes dropped EXE
PID:5036 -
\??\c:\nthnbh.exec:\nthnbh.exe46⤵
- Executes dropped EXE
PID:4336 -
\??\c:\tbbnnn.exec:\tbbnnn.exe47⤵
- Executes dropped EXE
PID:5040 -
\??\c:\djppp.exec:\djppp.exe48⤵
- Executes dropped EXE
PID:4036 -
\??\c:\vjjjd.exec:\vjjjd.exe49⤵
- Executes dropped EXE
PID:1656 -
\??\c:\lxxxrlr.exec:\lxxxrlr.exe50⤵
- Executes dropped EXE
PID:768 -
\??\c:\xflllxx.exec:\xflllxx.exe51⤵
- Executes dropped EXE
PID:3572 -
\??\c:\ntbbtn.exec:\ntbbtn.exe52⤵
- Executes dropped EXE
PID:4124 -
\??\c:\ddppp.exec:\ddppp.exe53⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jjjjv.exec:\jjjjv.exe54⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ppjpd.exec:\ppjpd.exe55⤵
- Executes dropped EXE
PID:4264 -
\??\c:\1pvdv.exec:\1pvdv.exe56⤵
- Executes dropped EXE
PID:2380 -
\??\c:\3jjdd.exec:\3jjdd.exe57⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rllrxll.exec:\rllrxll.exe58⤵
- Executes dropped EXE
PID:1476 -
\??\c:\xrxlfff.exec:\xrxlfff.exe59⤵
- Executes dropped EXE
PID:4272 -
\??\c:\nnhntt.exec:\nnhntt.exe60⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nbtbbh.exec:\nbtbbh.exe61⤵
- Executes dropped EXE
PID:4776 -
\??\c:\vpvvp.exec:\vpvvp.exe62⤵
- Executes dropped EXE
PID:4576 -
\??\c:\lxlllff.exec:\lxlllff.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\lflfffx.exec:\lflfffx.exe64⤵
- Executes dropped EXE
PID:1560 -
\??\c:\nntttt.exec:\nntttt.exe65⤵
- Executes dropped EXE
PID:1988 -
\??\c:\jjppv.exec:\jjppv.exe66⤵PID:4852
-
\??\c:\vjjvv.exec:\vjjvv.exe67⤵PID:4640
-
\??\c:\xxrlxxl.exec:\xxrlxxl.exe68⤵PID:1756
-
\??\c:\hhtbth.exec:\hhtbth.exe69⤵PID:3876
-
\??\c:\hhhbbb.exec:\hhhbbb.exe70⤵PID:4256
-
\??\c:\pdjjj.exec:\pdjjj.exe71⤵PID:4692
-
\??\c:\ddpjj.exec:\ddpjj.exe72⤵PID:3432
-
\??\c:\5xxrxfx.exec:\5xxrxfx.exe73⤵PID:552
-
\??\c:\tthnbh.exec:\tthnbh.exe74⤵PID:3164
-
\??\c:\hbthhh.exec:\hbthhh.exe75⤵PID:1600
-
\??\c:\vjppj.exec:\vjppj.exe76⤵PID:1584
-
\??\c:\ddjdv.exec:\ddjdv.exe77⤵PID:952
-
\??\c:\xfllfff.exec:\xfllfff.exe78⤵PID:3012
-
\??\c:\hbnnnt.exec:\hbnnnt.exe79⤵PID:3916
-
\??\c:\ddjjj.exec:\ddjjj.exe80⤵PID:4928
-
\??\c:\nnhtnb.exec:\nnhtnb.exe81⤵PID:2304
-
\??\c:\vvddd.exec:\vvddd.exe82⤵PID:2448
-
\??\c:\vpjdp.exec:\vpjdp.exe83⤵PID:4968
-
\??\c:\pppjd.exec:\pppjd.exe84⤵PID:3088
-
\??\c:\rfffxff.exec:\rfffxff.exe85⤵PID:1180
-
\??\c:\nnbbhh.exec:\nnbbhh.exe86⤵PID:4828
-
\??\c:\jjpvv.exec:\jjpvv.exe87⤵PID:3060
-
\??\c:\7xlfxff.exec:\7xlfxff.exe88⤵PID:2572
-
\??\c:\llxxllx.exec:\llxxllx.exe89⤵PID:1856
-
\??\c:\9tnthh.exec:\9tnthh.exe90⤵PID:2032
-
\??\c:\pjdvv.exec:\pjdvv.exe91⤵PID:4860
-
\??\c:\jpjdj.exec:\jpjdj.exe92⤵PID:856
-
\??\c:\5xlfflf.exec:\5xlfflf.exe93⤵PID:3508
-
\??\c:\rrxflrx.exec:\rrxflrx.exe94⤵PID:628
-
\??\c:\5lrrrxx.exec:\5lrrrxx.exe95⤵PID:3792
-
\??\c:\7tbhhh.exec:\7tbhhh.exe96⤵PID:1512
-
\??\c:\pvvvv.exec:\pvvvv.exe97⤵PID:1156
-
\??\c:\ddddd.exec:\ddddd.exe98⤵PID:3388
-
\??\c:\jpvjd.exec:\jpvjd.exe99⤵PID:112
-
\??\c:\lxfffff.exec:\lxfffff.exe100⤵PID:4488
-
\??\c:\flfffff.exec:\flfffff.exe101⤵PID:4176
-
\??\c:\nbbhbh.exec:\nbbhbh.exe102⤵PID:3084
-
\??\c:\hhtntt.exec:\hhtntt.exe103⤵PID:4656
-
\??\c:\bhttbb.exec:\bhttbb.exe104⤵PID:4980
-
\??\c:\jdjpj.exec:\jdjpj.exe105⤵PID:640
-
\??\c:\dvpjd.exec:\dvpjd.exe106⤵PID:5008
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe107⤵PID:848
-
\??\c:\1flrxff.exec:\1flrxff.exe108⤵PID:4916
-
\??\c:\nhtbbb.exec:\nhtbbb.exe109⤵PID:4436
-
\??\c:\thhnnt.exec:\thhnnt.exe110⤵PID:2536
-
\??\c:\hhnnhn.exec:\hhnnhn.exe111⤵PID:224
-
\??\c:\vvvvp.exec:\vvvvp.exe112⤵PID:3344
-
\??\c:\vjppp.exec:\vjppp.exe113⤵PID:3068
-
\??\c:\3lxflxr.exec:\3lxflxr.exe114⤵PID:932
-
\??\c:\rlxlfff.exec:\rlxlfff.exe115⤵PID:1644
-
\??\c:\1flffff.exec:\1flffff.exe116⤵PID:1524
-
\??\c:\hbhnnb.exec:\hbhnnb.exe117⤵PID:1804
-
\??\c:\3dpjp.exec:\3dpjp.exe118⤵PID:1908
-
\??\c:\5fxxrxx.exec:\5fxxrxx.exe119⤵PID:2196
-
\??\c:\ffrxxff.exec:\ffrxxff.exe120⤵PID:1996
-
\??\c:\hbhhbb.exec:\hbhhbb.exe121⤵PID:852
-
\??\c:\hhbbbh.exec:\hhbbbh.exe122⤵PID:1416
-
\??\c:\pdpvv.exec:\pdpvv.exe123⤵PID:3336
-
\??\c:\ppjjv.exec:\ppjjv.exe124⤵PID:2568
-
\??\c:\vpdjd.exec:\vpdjd.exe125⤵PID:2904
-
\??\c:\fxxfffl.exec:\fxxfffl.exe126⤵PID:2172
-
\??\c:\rfxflrl.exec:\rfxflrl.exe127⤵PID:520
-
\??\c:\nttbbh.exec:\nttbbh.exe128⤵PID:3120
-
\??\c:\vjjjd.exec:\vjjjd.exe129⤵PID:4524
-
\??\c:\jpppj.exec:\jpppj.exe130⤵PID:2580
-
\??\c:\rrxxxff.exec:\rrxxxff.exe131⤵PID:4532
-
\??\c:\hbbbth.exec:\hbbbth.exe132⤵PID:4484
-
\??\c:\hnbntn.exec:\hnbntn.exe133⤵PID:4868
-
\??\c:\5vvvp.exec:\5vvvp.exe134⤵PID:1576
-
\??\c:\ppdvj.exec:\ppdvj.exe135⤵PID:1184
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe136⤵PID:3012
-
\??\c:\bbnnbb.exec:\bbnnbb.exe137⤵PID:4464
-
\??\c:\bttttb.exec:\bttttb.exe138⤵PID:3208
-
\??\c:\vdvvd.exec:\vdvvd.exe139⤵PID:512
-
\??\c:\rrxlfll.exec:\rrxlfll.exe140⤵PID:2124
-
\??\c:\rrffrxl.exec:\rrffrxl.exe141⤵PID:3428
-
\??\c:\bhhtht.exec:\bhhtht.exe142⤵PID:5000
-
\??\c:\ddvjd.exec:\ddvjd.exe143⤵PID:2652
-
\??\c:\pdjdv.exec:\pdjdv.exe144⤵PID:4828
-
\??\c:\ppvvp.exec:\ppvvp.exe145⤵PID:624
-
\??\c:\fxrrrxx.exec:\fxrrrxx.exe146⤵PID:1444
-
\??\c:\xxxxlll.exec:\xxxxlll.exe147⤵PID:1720
-
\??\c:\bntttt.exec:\bntttt.exe148⤵PID:1480
-
\??\c:\bnbtnt.exec:\bnbtnt.exe149⤵PID:3560
-
\??\c:\jpvvv.exec:\jpvvv.exe150⤵PID:2528
-
\??\c:\dvpjp.exec:\dvpjp.exe151⤵PID:3740
-
\??\c:\lxxfxff.exec:\lxxfxff.exe152⤵PID:3912
-
\??\c:\llrxxxf.exec:\llrxxxf.exe153⤵PID:4564
-
\??\c:\htbbbh.exec:\htbbbh.exe154⤵PID:3404
-
\??\c:\hhtnnb.exec:\hhtnnb.exe155⤵PID:3296
-
\??\c:\tthnnt.exec:\tthnnt.exe156⤵PID:3600
-
\??\c:\5djpp.exec:\5djpp.exe157⤵PID:3300
-
\??\c:\jjjjd.exec:\jjjjd.exe158⤵PID:4620
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe159⤵PID:4832
-
\??\c:\rrrxllr.exec:\rrrxllr.exe160⤵PID:3076
-
\??\c:\bhntnn.exec:\bhntnn.exe161⤵PID:4840
-
\??\c:\tntnnt.exec:\tntnnt.exe162⤵PID:2496
-
\??\c:\ttbbtb.exec:\ttbbtb.exe163⤵PID:4980
-
\??\c:\vvjpp.exec:\vvjpp.exe164⤵PID:4328
-
\??\c:\ppvvd.exec:\ppvvd.exe165⤵PID:5008
-
\??\c:\lrfllrl.exec:\lrfllrl.exe166⤵PID:848
-
\??\c:\lrffxfr.exec:\lrffxfr.exe167⤵PID:3972
-
\??\c:\bbthtt.exec:\bbthtt.exe168⤵PID:216
-
\??\c:\ttbnhn.exec:\ttbnhn.exe169⤵PID:2736
-
\??\c:\1hnnhn.exec:\1hnnhn.exe170⤵PID:2192
-
\??\c:\pjppj.exec:\pjppj.exe171⤵PID:4264
-
\??\c:\jjvdd.exec:\jjvdd.exe172⤵PID:1016
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe173⤵PID:1276
-
\??\c:\ffrrrlr.exec:\ffrrrlr.exe174⤵PID:8
-
\??\c:\3fllllr.exec:\3fllllr.exe175⤵PID:2752
-
\??\c:\tnbbbh.exec:\tnbbbh.exe176⤵PID:3348
-
\??\c:\hbhbbh.exec:\hbhbbh.exe177⤵PID:2264
-
\??\c:\3vpdd.exec:\3vpdd.exe178⤵PID:4560
-
\??\c:\pjvjp.exec:\pjvjp.exe179⤵PID:4776
-
\??\c:\3xlfflr.exec:\3xlfflr.exe180⤵PID:2148
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe181⤵PID:2012
-
\??\c:\nbhhbt.exec:\nbhhbt.exe182⤵PID:2568
-
\??\c:\3pdvj.exec:\3pdvj.exe183⤵PID:4140
-
\??\c:\3ddvp.exec:\3ddvp.exe184⤵PID:3968
-
\??\c:\llllfll.exec:\llllfll.exe185⤵PID:4824
-
\??\c:\xxffrrf.exec:\xxffrrf.exe186⤵PID:552
-
\??\c:\tbttth.exec:\tbttth.exe187⤵PID:4872
-
\??\c:\5nnbtb.exec:\5nnbtb.exe188⤵PID:3712
-
\??\c:\hbhhhn.exec:\hbhhhn.exe189⤵PID:1584
-
\??\c:\7jvvd.exec:\7jvvd.exe190⤵PID:3012
-
\??\c:\vvdpj.exec:\vvdpj.exe191⤵PID:2088
-
\??\c:\rrflfff.exec:\rrflfff.exe192⤵PID:4180
-
\??\c:\tnntht.exec:\tnntht.exe193⤵PID:3500
-
\??\c:\dvddj.exec:\dvddj.exe194⤵PID:5000
-
\??\c:\vdjdv.exec:\vdjdv.exe195⤵PID:2652
-
\??\c:\pdjdd.exec:\pdjdd.exe196⤵PID:1752
-
\??\c:\1fxrrxl.exec:\1fxrrxl.exe197⤵PID:956
-
\??\c:\9frrxxf.exec:\9frrxxf.exe198⤵PID:3996
-
\??\c:\hnthbt.exec:\hnthbt.exe199⤵PID:3948
-
\??\c:\jjjdj.exec:\jjjdj.exe200⤵PID:3560
-
\??\c:\jdjjj.exec:\jdjjj.exe201⤵PID:2528
-
\??\c:\fllrflr.exec:\fllrflr.exe202⤵PID:4684
-
\??\c:\ntnbhn.exec:\ntnbhn.exe203⤵PID:2432
-
\??\c:\5dpjd.exec:\5dpjd.exe204⤵PID:3228
-
\??\c:\1rxxxxx.exec:\1rxxxxx.exe205⤵PID:800
-
\??\c:\bnbbhh.exec:\bnbbhh.exe206⤵PID:2016
-
\??\c:\bbbbbb.exec:\bbbbbb.exe207⤵PID:4596
-
\??\c:\vpvdv.exec:\vpvdv.exe208⤵PID:2112
-
\??\c:\jjppp.exec:\jjppp.exe209⤵PID:1992
-
\??\c:\llrxrrf.exec:\llrxrrf.exe210⤵PID:3280
-
\??\c:\9flrrff.exec:\9flrrff.exe211⤵PID:1652
-
\??\c:\vpppp.exec:\vpppp.exe212⤵PID:4920
-
\??\c:\dvddv.exec:\dvddv.exe213⤵PID:3660
-
\??\c:\bbtttb.exec:\bbtttb.exe214⤵PID:1188
-
\??\c:\vpdjj.exec:\vpdjj.exe215⤵PID:3480
-
\??\c:\jpppd.exec:\jpppd.exe216⤵PID:3572
-
\??\c:\ffxlfxr.exec:\ffxlfxr.exe217⤵PID:2536
-
\??\c:\nbntth.exec:\nbntth.exe218⤵PID:4124
-
\??\c:\jpdjp.exec:\jpdjp.exe219⤵PID:2872
-
\??\c:\jjjjj.exec:\jjjjj.exe220⤵PID:932
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe221⤵PID:1632
-
\??\c:\nbhhhn.exec:\nbhhhn.exe222⤵PID:1016
-
\??\c:\bhnbtt.exec:\bhnbtt.exe223⤵PID:4360
-
\??\c:\ddppp.exec:\ddppp.exe224⤵PID:5036
-
\??\c:\1pvvp.exec:\1pvvp.exe225⤵PID:2752
-
\??\c:\xxxxxff.exec:\xxxxxff.exe226⤵PID:1192
-
\??\c:\9xxfrxl.exec:\9xxfrxl.exe227⤵PID:4604
-
\??\c:\5hnhtt.exec:\5hnhtt.exe228⤵PID:4560
-
\??\c:\bhtthb.exec:\bhtthb.exe229⤵PID:4296
-
\??\c:\htthtt.exec:\htthtt.exe230⤵PID:5080
-
\??\c:\7dpjj.exec:\7dpjj.exe231⤵PID:3336
-
\??\c:\ddpjp.exec:\ddpjp.exe232⤵PID:2568
-
\??\c:\5xfffll.exec:\5xfffll.exe233⤵PID:4144
-
\??\c:\rlxrfll.exec:\rlxrfll.exe234⤵PID:3968
-
\??\c:\bhhbtt.exec:\bhhbtt.exe235⤵PID:4824
-
\??\c:\tbhhhb.exec:\tbhhhb.exe236⤵PID:4420
-
\??\c:\htbbbt.exec:\htbbbt.exe237⤵PID:872
-
\??\c:\jvdvp.exec:\jvdvp.exe238⤵PID:4672
-
\??\c:\ddpjj.exec:\ddpjj.exe239⤵PID:4968
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe240⤵PID:1180
-
\??\c:\ffflxxr.exec:\ffflxxr.exe241⤵PID:532
-
\??\c:\lfflfff.exec:\lfflfff.exe242⤵PID:400