Analysis
-
max time kernel
149s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:15
Behavioral task
behavioral1
Sample
a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe
-
Size
79KB
-
MD5
a0fdd2fec7e2e2f1ccc7a5309a0b7620
-
SHA1
f74da41d08c5c81f067f257d58b70039dea4e7aa
-
SHA256
fc0966762b9bb96ee73ece34a5e6a0fdc14c992014f804f0a4762859926ae43f
-
SHA512
615381dfc0ad2910ee4ea7bd29f3fd09177074db780fc21e2ffdfc98394d58c39bf8bf7915e91f05d5aaae63d7d442102b7ec0b45b25ad948e00c3750bb45aac
-
SSDEEP
1536:zvQBeOGtrYS3srx93UBWfwC6Ggnouy8iT4+C2HVM1p6T7a:zhOmTsF93UYfwC6GIoutiTU2HVS63a
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4432-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/664-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2348-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2524-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3748-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-617-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-662-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-682-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-747-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
nntbbh.exe1vddv.exeddppp.exelfrllfx.exehbtnnt.exejdddv.exejjvvp.exerlfxxxr.exerllfxxr.exennbnhb.exedvpjv.exefrlfrlf.exetnnhbh.exevpdvv.exefflfxxx.exe3rlrxxx.exebhhhtb.exedpvvp.exelfxrrlf.exefrlfxxr.exebntbbh.exevdvdv.exeflffxrl.exehhnhnn.exeppvpj.exepdjdd.exelrxxxrl.exebbnnnn.exedvjvv.exexrrlffx.exehtnhbb.exenthhhh.exepjpvd.exe5fxxxxx.exe9rrrllf.exetnhhbh.exeppdpj.exe1jpjv.exeffrrfff.exebntnhh.exe1tnhbb.exevjpjd.exejdjjp.exerfxrrrx.exe3xxllrl.exe1hhhhn.exejppdv.exepdjjp.exerxffflr.exebntttb.exe9ntttt.exejdddv.exerrlrrxx.exetnhhnt.exebhbnhh.exejjppj.exelllfxxr.exehhhnbh.exennnbhn.exepjvpp.exexrlxflr.exelxflfff.exehbhhhh.exe9ttttt.exepid process 2924 nntbbh.exe 212 1vddv.exe 368 ddppp.exe 1240 lfrllfx.exe 5096 hbtnnt.exe 2184 jdddv.exe 1408 jjvvp.exe 4536 rlfxxxr.exe 2776 rllfxxr.exe 2636 nnbnhb.exe 1380 dvpjv.exe 928 frlfrlf.exe 3392 tnnhbh.exe 4532 vpdvv.exe 112 fflfxxx.exe 3208 3rlrxxx.exe 664 bhhhtb.exe 2424 dpvvp.exe 4816 lfxrrlf.exe 2348 frlfxxr.exe 2572 bntbbh.exe 5072 vdvdv.exe 4676 flffxrl.exe 4016 hhnhnn.exe 4608 ppvpj.exe 2452 pdjdd.exe 4516 lrxxxrl.exe 1948 bbnnnn.exe 2768 dvjvv.exe 1228 xrrlffx.exe 4952 htnhbb.exe 1612 nthhhh.exe 2544 pjpvd.exe 4680 5fxxxxx.exe 4836 9rrrllf.exe 4488 tnhhbh.exe 4088 ppdpj.exe 1616 1jpjv.exe 3040 ffrrfff.exe 4564 bntnhh.exe 3540 1tnhbb.exe 4824 vjpjd.exe 4544 jdjjp.exe 3508 rfxrrrx.exe 1104 3xxllrl.exe 4444 1hhhhn.exe 2468 jppdv.exe 4780 pdjjp.exe 812 rxffflr.exe 4348 bntttb.exe 4276 9ntttt.exe 4432 jdddv.exe 4316 rrlrrxx.exe 220 tnhhnt.exe 1340 bhbnhh.exe 4572 jjppj.exe 2416 lllfxxr.exe 3356 hhhnbh.exe 3116 nnnbhn.exe 1408 pjvpp.exe 4128 xrlxflr.exe 4904 lxflfff.exe 820 hbhhhh.exe 2636 9ttttt.exe -
Processes:
resource yara_rule behavioral2/memory/4432-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4432-6-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nntbbh.exe upx behavioral2/memory/2924-7-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1vddv.exe upx C:\ddppp.exe upx behavioral2/memory/212-13-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lfrllfx.exe upx behavioral2/memory/1240-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/368-20-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hbtnnt.exe upx C:\jdddv.exe upx \??\c:\jjvvp.exe upx \??\c:\rlfxxxr.exe upx behavioral2/memory/4536-41-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rllfxxr.exe upx \??\c:\nnbnhb.exe upx behavioral2/memory/1408-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2184-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5096-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2636-54-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\dvpjv.exe upx behavioral2/memory/1380-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\frlfrlf.exe upx behavioral2/memory/928-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3392-65-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\tnnhbh.exe upx C:\vpdvv.exe upx C:\fflfxxx.exe upx behavioral2/memory/112-74-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\3rlrxxx.exe upx behavioral2/memory/112-78-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bhhhtb.exe upx behavioral2/memory/664-84-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dpvvp.exe upx C:\lfxrrlf.exe upx C:\frlfxxr.exe upx C:\bntbbh.exe upx behavioral2/memory/2348-100-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vdvdv.exe upx behavioral2/memory/2572-107-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\flffxrl.exe upx C:\hhnhnn.exe upx behavioral2/memory/4676-114-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppvpj.exe upx behavioral2/memory/4016-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4608-122-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pdjdd.exe upx behavioral2/memory/2452-127-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lrxxxrl.exe upx behavioral2/memory/4516-134-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bbnnnn.exe upx C:\dvjvv.exe upx behavioral2/memory/2768-142-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xrrlffx.exe upx C:\htnhbb.exe upx C:\nthhhh.exe upx behavioral2/memory/4952-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1612-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1612-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2544-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4680-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4088-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exenntbbh.exe1vddv.exeddppp.exelfrllfx.exehbtnnt.exejdddv.exejjvvp.exerlfxxxr.exerllfxxr.exennbnhb.exedvpjv.exefrlfrlf.exetnnhbh.exevpdvv.exefflfxxx.exe3rlrxxx.exebhhhtb.exedpvvp.exelfxrrlf.exefrlfxxr.exebntbbh.exedescription pid process target process PID 4432 wrote to memory of 2924 4432 a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe nntbbh.exe PID 4432 wrote to memory of 2924 4432 a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe nntbbh.exe PID 4432 wrote to memory of 2924 4432 a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe nntbbh.exe PID 2924 wrote to memory of 212 2924 nntbbh.exe 1vddv.exe PID 2924 wrote to memory of 212 2924 nntbbh.exe 1vddv.exe PID 2924 wrote to memory of 212 2924 nntbbh.exe 1vddv.exe PID 212 wrote to memory of 368 212 1vddv.exe ddppp.exe PID 212 wrote to memory of 368 212 1vddv.exe ddppp.exe PID 212 wrote to memory of 368 212 1vddv.exe ddppp.exe PID 368 wrote to memory of 1240 368 ddppp.exe lfrllfx.exe PID 368 wrote to memory of 1240 368 ddppp.exe lfrllfx.exe PID 368 wrote to memory of 1240 368 ddppp.exe lfrllfx.exe PID 1240 wrote to memory of 5096 1240 lfrllfx.exe hbtnnt.exe PID 1240 wrote to memory of 5096 1240 lfrllfx.exe hbtnnt.exe PID 1240 wrote to memory of 5096 1240 lfrllfx.exe hbtnnt.exe PID 5096 wrote to memory of 2184 5096 hbtnnt.exe jdddv.exe PID 5096 wrote to memory of 2184 5096 hbtnnt.exe jdddv.exe PID 5096 wrote to memory of 2184 5096 hbtnnt.exe jdddv.exe PID 2184 wrote to memory of 1408 2184 jdddv.exe jjvvp.exe PID 2184 wrote to memory of 1408 2184 jdddv.exe jjvvp.exe PID 2184 wrote to memory of 1408 2184 jdddv.exe jjvvp.exe PID 1408 wrote to memory of 4536 1408 jjvvp.exe rlfxxxr.exe PID 1408 wrote to memory of 4536 1408 jjvvp.exe rlfxxxr.exe PID 1408 wrote to memory of 4536 1408 jjvvp.exe rlfxxxr.exe PID 4536 wrote to memory of 2776 4536 rlfxxxr.exe rllfxxr.exe PID 4536 wrote to memory of 2776 4536 rlfxxxr.exe rllfxxr.exe PID 4536 wrote to memory of 2776 4536 rlfxxxr.exe rllfxxr.exe PID 2776 wrote to memory of 2636 2776 rllfxxr.exe nnbnhb.exe PID 2776 wrote to memory of 2636 2776 rllfxxr.exe nnbnhb.exe PID 2776 wrote to memory of 2636 2776 rllfxxr.exe nnbnhb.exe PID 2636 wrote to memory of 1380 2636 nnbnhb.exe dvpjv.exe PID 2636 wrote to memory of 1380 2636 nnbnhb.exe dvpjv.exe PID 2636 wrote to memory of 1380 2636 nnbnhb.exe dvpjv.exe PID 1380 wrote to memory of 928 1380 dvpjv.exe frlfrlf.exe PID 1380 wrote to memory of 928 1380 dvpjv.exe frlfrlf.exe PID 1380 wrote to memory of 928 1380 dvpjv.exe frlfrlf.exe PID 928 wrote to memory of 3392 928 frlfrlf.exe tnnhbh.exe PID 928 wrote to memory of 3392 928 frlfrlf.exe tnnhbh.exe PID 928 wrote to memory of 3392 928 frlfrlf.exe tnnhbh.exe PID 3392 wrote to memory of 4532 3392 tnnhbh.exe vpdvv.exe PID 3392 wrote to memory of 4532 3392 tnnhbh.exe vpdvv.exe PID 3392 wrote to memory of 4532 3392 tnnhbh.exe vpdvv.exe PID 4532 wrote to memory of 112 4532 vpdvv.exe fflfxxx.exe PID 4532 wrote to memory of 112 4532 vpdvv.exe fflfxxx.exe PID 4532 wrote to memory of 112 4532 vpdvv.exe fflfxxx.exe PID 112 wrote to memory of 3208 112 fflfxxx.exe 3rlrxxx.exe PID 112 wrote to memory of 3208 112 fflfxxx.exe 3rlrxxx.exe PID 112 wrote to memory of 3208 112 fflfxxx.exe 3rlrxxx.exe PID 3208 wrote to memory of 664 3208 3rlrxxx.exe bhhhtb.exe PID 3208 wrote to memory of 664 3208 3rlrxxx.exe bhhhtb.exe PID 3208 wrote to memory of 664 3208 3rlrxxx.exe bhhhtb.exe PID 664 wrote to memory of 2424 664 bhhhtb.exe dpvvp.exe PID 664 wrote to memory of 2424 664 bhhhtb.exe dpvvp.exe PID 664 wrote to memory of 2424 664 bhhhtb.exe dpvvp.exe PID 2424 wrote to memory of 4816 2424 dpvvp.exe lfxrrlf.exe PID 2424 wrote to memory of 4816 2424 dpvvp.exe lfxrrlf.exe PID 2424 wrote to memory of 4816 2424 dpvvp.exe lfxrrlf.exe PID 4816 wrote to memory of 2348 4816 lfxrrlf.exe frlfxxr.exe PID 4816 wrote to memory of 2348 4816 lfxrrlf.exe frlfxxr.exe PID 4816 wrote to memory of 2348 4816 lfxrrlf.exe frlfxxr.exe PID 2348 wrote to memory of 2572 2348 frlfxxr.exe bntbbh.exe PID 2348 wrote to memory of 2572 2348 frlfxxr.exe bntbbh.exe PID 2348 wrote to memory of 2572 2348 frlfxxr.exe bntbbh.exe PID 2572 wrote to memory of 5072 2572 bntbbh.exe vdvdv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a0fdd2fec7e2e2f1ccc7a5309a0b7620_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\nntbbh.exec:\nntbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\1vddv.exec:\1vddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\ddppp.exec:\ddppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\lfrllfx.exec:\lfrllfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\hbtnnt.exec:\hbtnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\jdddv.exec:\jdddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\jjvvp.exec:\jjvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\rllfxxr.exec:\rllfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\nnbnhb.exec:\nnbnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dvpjv.exec:\dvpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\frlfrlf.exec:\frlfrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\tnnhbh.exec:\tnnhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\vpdvv.exec:\vpdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\fflfxxx.exec:\fflfxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\3rlrxxx.exec:\3rlrxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\bhhhtb.exec:\bhhhtb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\dpvvp.exec:\dpvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\frlfxxr.exec:\frlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\bntbbh.exec:\bntbbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vdvdv.exec:\vdvdv.exe23⤵
- Executes dropped EXE
PID:5072 -
\??\c:\flffxrl.exec:\flffxrl.exe24⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hhnhnn.exec:\hhnhnn.exe25⤵
- Executes dropped EXE
PID:4016 -
\??\c:\ppvpj.exec:\ppvpj.exe26⤵
- Executes dropped EXE
PID:4608 -
\??\c:\pdjdd.exec:\pdjdd.exe27⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lrxxxrl.exec:\lrxxxrl.exe28⤵
- Executes dropped EXE
PID:4516 -
\??\c:\bbnnnn.exec:\bbnnnn.exe29⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dvjvv.exec:\dvjvv.exe30⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xrrlffx.exec:\xrrlffx.exe31⤵
- Executes dropped EXE
PID:1228 -
\??\c:\htnhbb.exec:\htnhbb.exe32⤵
- Executes dropped EXE
PID:4952 -
\??\c:\nthhhh.exec:\nthhhh.exe33⤵
- Executes dropped EXE
PID:1612 -
\??\c:\pjpvd.exec:\pjpvd.exe34⤵
- Executes dropped EXE
PID:2544 -
\??\c:\5fxxxxx.exec:\5fxxxxx.exe35⤵
- Executes dropped EXE
PID:4680 -
\??\c:\9rrrllf.exec:\9rrrllf.exe36⤵
- Executes dropped EXE
PID:4836 -
\??\c:\tnhhbh.exec:\tnhhbh.exe37⤵
- Executes dropped EXE
PID:4488 -
\??\c:\ppdpj.exec:\ppdpj.exe38⤵
- Executes dropped EXE
PID:4088 -
\??\c:\1jpjv.exec:\1jpjv.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ffrrfff.exec:\ffrrfff.exe40⤵
- Executes dropped EXE
PID:3040 -
\??\c:\bntnhh.exec:\bntnhh.exe41⤵
- Executes dropped EXE
PID:4564 -
\??\c:\1tnhbb.exec:\1tnhbb.exe42⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vjpjd.exec:\vjpjd.exe43⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jdjjp.exec:\jdjjp.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe45⤵
- Executes dropped EXE
PID:3508 -
\??\c:\3xxllrl.exec:\3xxllrl.exe46⤵
- Executes dropped EXE
PID:1104 -
\??\c:\1hhhhn.exec:\1hhhhn.exe47⤵
- Executes dropped EXE
PID:4444 -
\??\c:\jppdv.exec:\jppdv.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pdjjp.exec:\pdjjp.exe49⤵
- Executes dropped EXE
PID:4780 -
\??\c:\rxffflr.exec:\rxffflr.exe50⤵
- Executes dropped EXE
PID:812 -
\??\c:\bntttb.exec:\bntttb.exe51⤵
- Executes dropped EXE
PID:4348 -
\??\c:\9ntttt.exec:\9ntttt.exe52⤵
- Executes dropped EXE
PID:4276 -
\??\c:\jdddv.exec:\jdddv.exe53⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rrlrrxx.exec:\rrlrrxx.exe54⤵
- Executes dropped EXE
PID:4316 -
\??\c:\tnhhnt.exec:\tnhhnt.exe55⤵
- Executes dropped EXE
PID:220 -
\??\c:\bhbnhh.exec:\bhbnhh.exe56⤵
- Executes dropped EXE
PID:1340 -
\??\c:\jjppj.exec:\jjppj.exe57⤵
- Executes dropped EXE
PID:4572 -
\??\c:\lllfxxr.exec:\lllfxxr.exe58⤵
- Executes dropped EXE
PID:2416 -
\??\c:\hhhnbh.exec:\hhhnbh.exe59⤵
- Executes dropped EXE
PID:3356 -
\??\c:\nnnbhn.exec:\nnnbhn.exe60⤵
- Executes dropped EXE
PID:3116 -
\??\c:\pjvpp.exec:\pjvpp.exe61⤵
- Executes dropped EXE
PID:1408 -
\??\c:\xrlxflr.exec:\xrlxflr.exe62⤵
- Executes dropped EXE
PID:4128 -
\??\c:\lxflfff.exec:\lxflfff.exe63⤵
- Executes dropped EXE
PID:4904 -
\??\c:\hbhhhh.exec:\hbhhhh.exe64⤵
- Executes dropped EXE
PID:820 -
\??\c:\9ttttt.exec:\9ttttt.exe65⤵
- Executes dropped EXE
PID:2636 -
\??\c:\7httnt.exec:\7httnt.exe66⤵PID:2444
-
\??\c:\jpppv.exec:\jpppv.exe67⤵PID:1008
-
\??\c:\jdjjj.exec:\jdjjj.exe68⤵PID:2164
-
\??\c:\xlxfffl.exec:\xlxfffl.exe69⤵PID:4768
-
\??\c:\frflfff.exec:\frflfff.exe70⤵PID:4704
-
\??\c:\nntbbb.exec:\nntbbb.exe71⤵PID:4532
-
\??\c:\hntbhn.exec:\hntbhn.exe72⤵PID:1376
-
\??\c:\vvvvp.exec:\vvvvp.exe73⤵PID:3368
-
\??\c:\ppdvv.exec:\ppdvv.exe74⤵PID:3208
-
\??\c:\ppjjj.exec:\ppjjj.exe75⤵PID:3696
-
\??\c:\ffrlfll.exec:\ffrlfll.exe76⤵PID:4604
-
\??\c:\nbhhtb.exec:\nbhhtb.exe77⤵PID:4744
-
\??\c:\ddddv.exec:\ddddv.exe78⤵PID:4860
-
\??\c:\ddjjv.exec:\ddjjv.exe79⤵PID:3636
-
\??\c:\rrlffll.exec:\rrlffll.exe80⤵PID:2788
-
\??\c:\xxfllrx.exec:\xxfllrx.exe81⤵PID:4528
-
\??\c:\5bhnnn.exec:\5bhnnn.exe82⤵PID:2572
-
\??\c:\3ddjj.exec:\3ddjj.exe83⤵PID:4612
-
\??\c:\jvdjj.exec:\jvdjj.exe84⤵PID:1764
-
\??\c:\pvdpj.exec:\pvdpj.exe85⤵PID:4104
-
\??\c:\llllrrx.exec:\llllrrx.exe86⤵PID:1344
-
\??\c:\1hhhhn.exec:\1hhhhn.exe87⤵PID:2272
-
\??\c:\7nnnth.exec:\7nnnth.exe88⤵PID:1696
-
\??\c:\vpjjd.exec:\vpjjd.exe89⤵PID:1600
-
\??\c:\vdvjd.exec:\vdvjd.exe90⤵PID:4408
-
\??\c:\dvjpv.exec:\dvjpv.exe91⤵PID:668
-
\??\c:\rxrrrrl.exec:\rxrrrrl.exe92⤵PID:2328
-
\??\c:\rrxxfff.exec:\rrxxfff.exe93⤵PID:2524
-
\??\c:\nhbbbh.exec:\nhbbbh.exe94⤵PID:3504
-
\??\c:\nbbbbb.exec:\nbbbbb.exe95⤵PID:4952
-
\??\c:\jvdjp.exec:\jvdjp.exe96⤵PID:1308
-
\??\c:\frfxxll.exec:\frfxxll.exe97⤵PID:3032
-
\??\c:\llxxllx.exec:\llxxllx.exe98⤵PID:4680
-
\??\c:\thbhhn.exec:\thbhhn.exe99⤵PID:3576
-
\??\c:\ntbbbh.exec:\ntbbbh.exe100⤵PID:4876
-
\??\c:\jjpdv.exec:\jjpdv.exe101⤵PID:3984
-
\??\c:\pvddv.exec:\pvddv.exe102⤵PID:4472
-
\??\c:\xrxxffl.exec:\xrxxffl.exe103⤵PID:2836
-
\??\c:\frrrrff.exec:\frrrrff.exe104⤵PID:3748
-
\??\c:\bbnttb.exec:\bbnttb.exe105⤵PID:4824
-
\??\c:\thhhhh.exec:\thhhhh.exe106⤵PID:1300
-
\??\c:\djvpp.exec:\djvpp.exe107⤵PID:4240
-
\??\c:\vdddd.exec:\vdddd.exe108⤵PID:1104
-
\??\c:\pvdjj.exec:\pvdjj.exe109⤵PID:4940
-
\??\c:\ffffffl.exec:\ffffffl.exe110⤵PID:4444
-
\??\c:\thnnnn.exec:\thnnnn.exe111⤵PID:4832
-
\??\c:\hhbbbt.exec:\hhbbbt.exe112⤵PID:4308
-
\??\c:\ppjdp.exec:\ppjdp.exe113⤵PID:4800
-
\??\c:\vvddv.exec:\vvddv.exe114⤵PID:2252
-
\??\c:\pjvvv.exec:\pjvvv.exe115⤵PID:4348
-
\??\c:\5rrlfll.exec:\5rrlfll.exe116⤵PID:2360
-
\??\c:\nnbhhn.exec:\nnbhhn.exe117⤵PID:408
-
\??\c:\jjjpp.exec:\jjjpp.exe118⤵PID:4280
-
\??\c:\pjppv.exec:\pjppv.exe119⤵PID:3520
-
\??\c:\lxrrxxx.exec:\lxrrxxx.exe120⤵PID:856
-
\??\c:\rlxxxff.exec:\rlxxxff.exe121⤵PID:628
-
\??\c:\bhtntt.exec:\bhtntt.exe122⤵PID:5048
-
\??\c:\hhbnhb.exec:\hhbnhb.exe123⤵PID:1920
-
\??\c:\jpdjv.exec:\jpdjv.exe124⤵PID:556
-
\??\c:\pjpjp.exec:\pjpjp.exe125⤵PID:1408
-
\??\c:\lrrrrrx.exec:\lrrrrrx.exe126⤵PID:2552
-
\??\c:\nnhbhn.exec:\nnhbhn.exe127⤵PID:4904
-
\??\c:\hhbthh.exec:\hhbthh.exe128⤵PID:3772
-
\??\c:\nnhbhh.exec:\nnhbhh.exe129⤵PID:692
-
\??\c:\vjpjd.exec:\vjpjd.exe130⤵PID:1380
-
\??\c:\9ppvd.exec:\9ppvd.exe131⤵PID:928
-
\??\c:\xxffxfl.exec:\xxffxfl.exe132⤵PID:3652
-
\??\c:\rlxrrxf.exec:\rlxrrxf.exe133⤵PID:3828
-
\??\c:\ttthnt.exec:\ttthnt.exe134⤵PID:3196
-
\??\c:\pjjdv.exec:\pjjdv.exe135⤵PID:1940
-
\??\c:\1pvpj.exec:\1pvpj.exe136⤵PID:3904
-
\??\c:\lxxrrrl.exec:\lxxrrrl.exe137⤵PID:1880
-
\??\c:\5rxrrxx.exec:\5rxrrxx.exe138⤵PID:2076
-
\??\c:\nhbnht.exec:\nhbnht.exe139⤵PID:2424
-
\??\c:\nttnhb.exec:\nttnhb.exe140⤵PID:3880
-
\??\c:\ddjjj.exec:\ddjjj.exe141⤵PID:4744
-
\??\c:\dvddj.exec:\dvddj.exe142⤵PID:4928
-
\??\c:\rflrlrr.exec:\rflrlrr.exe143⤵PID:2908
-
\??\c:\rrllllr.exec:\rrllllr.exe144⤵PID:4396
-
\??\c:\nhhttn.exec:\nhhttn.exe145⤵PID:3192
-
\??\c:\vvpjv.exec:\vvpjv.exe146⤵PID:1836
-
\??\c:\rrffllx.exec:\rrffllx.exe147⤵PID:1584
-
\??\c:\ffflffx.exec:\ffflffx.exe148⤵PID:2476
-
\??\c:\ttbbnn.exec:\ttbbnn.exe149⤵PID:4000
-
\??\c:\nbnntb.exec:\nbnntb.exe150⤵PID:4548
-
\??\c:\jdddv.exec:\jdddv.exe151⤵PID:860
-
\??\c:\djjdv.exec:\djjdv.exe152⤵PID:2596
-
\??\c:\frrflxl.exec:\frrflxl.exe153⤵PID:4620
-
\??\c:\bthbtt.exec:\bthbtt.exe154⤵PID:2392
-
\??\c:\ntnbbt.exec:\ntnbbt.exe155⤵PID:668
-
\??\c:\pjppp.exec:\pjppp.exe156⤵PID:2292
-
\??\c:\dpdpp.exec:\dpdpp.exe157⤵PID:3768
-
\??\c:\3lrrfll.exec:\3lrrfll.exe158⤵PID:3376
-
\??\c:\7xfrrfl.exec:\7xfrrfl.exe159⤵PID:2620
-
\??\c:\9nnhbb.exec:\9nnhbb.exe160⤵PID:2544
-
\??\c:\vdpjd.exec:\vdpjd.exe161⤵PID:4476
-
\??\c:\rrlrlxr.exec:\rrlrlxr.exe162⤵PID:4088
-
\??\c:\ffffxrr.exec:\ffffxrr.exe163⤵PID:2384
-
\??\c:\ttttbb.exec:\ttttbb.exe164⤵PID:1616
-
\??\c:\pjdvp.exec:\pjdvp.exe165⤵PID:2824
-
\??\c:\dpjjj.exec:\dpjjj.exe166⤵PID:4116
-
\??\c:\flxxrxr.exec:\flxxrxr.exe167⤵PID:2080
-
\??\c:\xxxflrr.exec:\xxxflrr.exe168⤵PID:1596
-
\??\c:\ntntnb.exec:\ntntnb.exe169⤵PID:3456
-
\??\c:\1ppjp.exec:\1ppjp.exe170⤵PID:2092
-
\??\c:\vvvjp.exec:\vvvjp.exe171⤵PID:3416
-
\??\c:\jvpvp.exec:\jvpvp.exe172⤵PID:1180
-
\??\c:\rlrrllx.exec:\rlrrllx.exe173⤵PID:4560
-
\??\c:\rllrlrr.exec:\rllrlrr.exe174⤵PID:4440
-
\??\c:\bhthtb.exec:\bhthtb.exe175⤵PID:4968
-
\??\c:\pdppj.exec:\pdppj.exe176⤵PID:4372
-
\??\c:\dvjdp.exec:\dvjdp.exe177⤵PID:2252
-
\??\c:\rrxrlrr.exec:\rrxrlrr.exe178⤵PID:4348
-
\??\c:\nnttbb.exec:\nnttbb.exe179⤵PID:3872
-
\??\c:\ntthhb.exec:\ntthhb.exe180⤵PID:4324
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe181⤵PID:1092
-
\??\c:\hbbbtb.exec:\hbbbtb.exe182⤵PID:1176
-
\??\c:\nbbbnt.exec:\nbbbnt.exe183⤵PID:4572
-
\??\c:\7xxllll.exec:\7xxllll.exe184⤵PID:4508
-
\??\c:\bbhhnb.exec:\bbhhnb.exe185⤵PID:1244
-
\??\c:\bhhhnn.exec:\bhhhnn.exe186⤵PID:3816
-
\??\c:\ddvvp.exec:\ddvvp.exe187⤵PID:2900
-
\??\c:\ddvpv.exec:\ddvpv.exe188⤵PID:4804
-
\??\c:\rxlllll.exec:\rxlllll.exe189⤵PID:2368
-
\??\c:\hhnttb.exec:\hhnttb.exe190⤵PID:2120
-
\??\c:\jdpvp.exec:\jdpvp.exe191⤵PID:2136
-
\??\c:\jdppj.exec:\jdppj.exe192⤵PID:2444
-
\??\c:\xxllxfr.exec:\xxllxfr.exe193⤵PID:1008
-
\??\c:\bthhhh.exec:\bthhhh.exe194⤵PID:5044
-
\??\c:\hhhhhn.exec:\hhhhhn.exe195⤵PID:4500
-
\??\c:\rlxxrff.exec:\rlxxrff.exe196⤵PID:4704
-
\??\c:\xrrxxlr.exec:\xrrxxlr.exe197⤵PID:4864
-
\??\c:\7tttbb.exec:\7tttbb.exe198⤵PID:1940
-
\??\c:\jvvpj.exec:\jvvpj.exe199⤵PID:736
-
\??\c:\ffxfrlx.exec:\ffxfrlx.exe200⤵PID:664
-
\??\c:\bbhntt.exec:\bbhntt.exe201⤵PID:1148
-
\??\c:\ntthhn.exec:\ntthhn.exe202⤵PID:2424
-
\??\c:\1djjd.exec:\1djjd.exe203⤵PID:4816
-
\??\c:\jdvvp.exec:\jdvvp.exe204⤵PID:4772
-
\??\c:\nhhhbb.exec:\nhhhbb.exe205⤵PID:4284
-
\??\c:\lrrrlff.exec:\lrrrlff.exe206⤵PID:5092
-
\??\c:\xrxxrff.exec:\xrxxrff.exe207⤵PID:868
-
\??\c:\pjddd.exec:\pjddd.exe208⤵PID:4776
-
\??\c:\rrrrrxx.exec:\rrrrrxx.exe209⤵PID:4676
-
\??\c:\llrrrll.exec:\llrrrll.exe210⤵PID:2736
-
\??\c:\tnbhnn.exec:\tnbhnn.exe211⤵PID:3400
-
\??\c:\jdjjp.exec:\jdjjp.exe212⤵PID:4880
-
\??\c:\rrxrffx.exec:\rrxrffx.exe213⤵PID:680
-
\??\c:\thtbbb.exec:\thtbbb.exe214⤵PID:2452
-
\??\c:\ppvvp.exec:\ppvvp.exe215⤵PID:1676
-
\??\c:\xrfflll.exec:\xrfflll.exe216⤵PID:4620
-
\??\c:\tbbnbb.exec:\tbbnbb.exe217⤵PID:2768
-
\??\c:\ppddj.exec:\ppddj.exe218⤵PID:668
-
\??\c:\fllllff.exec:\fllllff.exe219⤵PID:1228
-
\??\c:\ttntbh.exec:\ttntbh.exe220⤵PID:3768
-
\??\c:\bhtnhn.exec:\bhtnhn.exe221⤵PID:116
-
\??\c:\rrlxfxl.exec:\rrlxfxl.exe222⤵PID:4840
-
\??\c:\httbbb.exec:\httbbb.exe223⤵PID:468
-
\??\c:\rxllxfr.exec:\rxllxfr.exe224⤵PID:4476
-
\??\c:\nnbbbh.exec:\nnbbbh.exe225⤵PID:4088
-
\??\c:\bbtttb.exec:\bbtttb.exe226⤵PID:4696
-
\??\c:\jdjjd.exec:\jdjjd.exe227⤵PID:4472
-
\??\c:\vdpjd.exec:\vdpjd.exe228⤵PID:3212
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe229⤵PID:1936
-
\??\c:\xffllrr.exec:\xffllrr.exe230⤵PID:4824
-
\??\c:\5bbnnt.exec:\5bbnnt.exe231⤵PID:3704
-
\??\c:\3pvdv.exec:\3pvdv.exe232⤵PID:1552
-
\??\c:\jjjjp.exec:\jjjjp.exe233⤵PID:1544
-
\??\c:\rxrrlxx.exec:\rxrrlxx.exe234⤵PID:4940
-
\??\c:\bnbnnn.exec:\bnbnnn.exe235⤵PID:4444
-
\??\c:\hhntnh.exec:\hhntnh.exe236⤵PID:972
-
\??\c:\djpjv.exec:\djpjv.exe237⤵PID:4392
-
\??\c:\jdvvv.exec:\jdvvv.exe238⤵PID:224
-
\??\c:\vpddj.exec:\vpddj.exe239⤵PID:4232
-
\??\c:\1xffrxf.exec:\1xffrxf.exe240⤵PID:1680
-
\??\c:\5rfffrr.exec:\5rfffrr.exe241⤵PID:4348
-
\??\c:\7hnnbb.exec:\7hnnbb.exe242⤵PID:4332