Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe
-
Size
459KB
-
MD5
ced448f808e040825b1bfb936f0f7fa0
-
SHA1
abc1c28dc81e47d5dabeb239f2d45d156c2ff199
-
SHA256
3bbe701b61223aaf2f3cbfba9d560dcd79d82fca48862bd769c0b0179e0acc3c
-
SHA512
8b9de3429bd541563707dd01484b9176a8d0fb3f7738e9be4275ff9828840d31c4cadc14d0eb1b7fb8a9cc1c3dc3cf21702373c56c9aef6d1946a6ed8750d11f
-
SSDEEP
6144:Pcm7ImGddXtWrXD486jJq1BStv4Ib1HmY:d7Tc9Wj16A3Stvxh
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1644-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3952-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1084-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4516-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3240-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4448-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4884-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2100-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3340-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4808-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4284-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4640-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3580-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4556-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1184-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4428-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1844-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1268-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1736-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4660-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1436-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/852-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4360-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3516-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4552-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3240-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/892-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1968-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1248-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2228-250-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/876-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-267-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3724-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1016-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/936-297-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5068-323-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1536-327-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-331-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3568-351-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4584-358-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4140-365-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3244-424-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5100-429-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2888-445-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2156-452-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2576-456-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1456-481-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3336-509-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/400-555-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2640-577-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2516-645-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/820-658-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4900-720-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5108-751-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3116-828-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4652-844-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4140-909-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4644-1283-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1216-1327-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-1482-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3952 lxfxlfl.exe 1084 btbbbb.exe 4516 5djvd.exe 3240 bnttnt.exe 4884 5fflfxf.exe 4448 thnttn.exe 2100 vppjd.exe 4284 bbhtnh.exe 4808 pjjjd.exe 2228 rlrlffx.exe 3340 3tbttt.exe 4640 ddvvj.exe 3580 dddpp.exe 4556 nntnhh.exe 1184 xlrlfxr.exe 4428 vjdvp.exe 1844 1frrxlf.exe 1268 xfxrxrx.exe 5100 dvvpv.exe 1564 bbnnnn.exe 1736 vjvvp.exe 3608 7xrlfff.exe 2652 xxfxxxr.exe 4660 1htttb.exe 1536 htbbbb.exe 4920 tntnnn.exe 4852 tnbbhh.exe 1436 5rxxxll.exe 4692 7djdd.exe 2212 3nnbtt.exe 852 fxfrlxr.exe 4584 vpppd.exe 4360 nhhbtn.exe 4536 frfxllf.exe 3516 3hnhnn.exe 4552 llffxxr.exe 4012 5nnhhh.exe 628 vjjdd.exe 4516 3rfrllx.exe 3240 1nnhbb.exe 4976 jvvjd.exe 892 lxfrllf.exe 4892 9nnntt.exe 1476 bbnnnn.exe 1968 ppddv.exe 2004 fxrlflf.exe 1248 hbbhbb.exe 2228 3dvvd.exe 4664 xfxrfxf.exe 1424 ntbhhb.exe 3836 dpvjv.exe 876 rlrflfl.exe 4064 btnnbb.exe 1680 dvdvv.exe 3724 xrrlxxf.exe 2384 tnhhbb.exe 1016 pjvpj.exe 1976 pdjvj.exe 4696 7rlffff.exe 4272 thnnhh.exe 936 jpvjj.exe 4900 lflfxxx.exe 4112 ntbbtn.exe 4068 9jdvv.exe -
resource yara_rule behavioral2/memory/1644-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4884-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2100-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2100-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3340-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4808-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4284-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4640-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3580-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4556-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1184-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4428-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1844-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1268-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1736-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1564-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4660-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1536-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1436-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/852-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4360-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3516-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3516-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4552-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/892-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/892-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1968-241-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1248-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2228-250-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/876-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-267-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3724-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1016-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/936-297-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4112-301-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5068-323-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1536-327-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-331-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3568-351-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4584-354-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4584-358-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4140-365-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4712-411-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3244-424-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1268-425-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5100-429-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2888-445-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2156-452-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2576-456-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1456-481-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3336-509-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/400-555-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3952 1644 ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe 84 PID 1644 wrote to memory of 3952 1644 ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe 84 PID 1644 wrote to memory of 3952 1644 ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe 84 PID 3952 wrote to memory of 1084 3952 lxfxlfl.exe 85 PID 3952 wrote to memory of 1084 3952 lxfxlfl.exe 85 PID 3952 wrote to memory of 1084 3952 lxfxlfl.exe 85 PID 1084 wrote to memory of 4516 1084 btbbbb.exe 86 PID 1084 wrote to memory of 4516 1084 btbbbb.exe 86 PID 1084 wrote to memory of 4516 1084 btbbbb.exe 86 PID 4516 wrote to memory of 3240 4516 5djvd.exe 87 PID 4516 wrote to memory of 3240 4516 5djvd.exe 87 PID 4516 wrote to memory of 3240 4516 5djvd.exe 87 PID 3240 wrote to memory of 4884 3240 bnttnt.exe 88 PID 3240 wrote to memory of 4884 3240 bnttnt.exe 88 PID 3240 wrote to memory of 4884 3240 bnttnt.exe 88 PID 4884 wrote to memory of 4448 4884 5fflfxf.exe 89 PID 4884 wrote to memory of 4448 4884 5fflfxf.exe 89 PID 4884 wrote to memory of 4448 4884 5fflfxf.exe 89 PID 4448 wrote to memory of 2100 4448 thnttn.exe 90 PID 4448 wrote to memory of 2100 4448 thnttn.exe 90 PID 4448 wrote to memory of 2100 4448 thnttn.exe 90 PID 2100 wrote to memory of 4284 2100 vppjd.exe 91 PID 2100 wrote to memory of 4284 2100 vppjd.exe 91 PID 2100 wrote to memory of 4284 2100 vppjd.exe 91 PID 4284 wrote to memory of 4808 4284 bbhtnh.exe 92 PID 4284 wrote to memory of 4808 4284 bbhtnh.exe 92 PID 4284 wrote to memory of 4808 4284 bbhtnh.exe 92 PID 4808 wrote to memory of 2228 4808 pjjjd.exe 94 PID 4808 wrote to memory of 2228 4808 pjjjd.exe 94 PID 4808 wrote to memory of 2228 4808 pjjjd.exe 94 PID 2228 wrote to memory of 3340 2228 rlrlffx.exe 95 PID 2228 wrote to memory of 3340 2228 rlrlffx.exe 95 PID 2228 wrote to memory of 3340 2228 rlrlffx.exe 95 PID 3340 wrote to memory of 4640 3340 3tbttt.exe 96 PID 3340 wrote to memory of 4640 3340 3tbttt.exe 96 PID 3340 wrote to memory of 4640 3340 3tbttt.exe 96 PID 4640 wrote to memory of 3580 4640 ddvvj.exe 97 PID 4640 wrote to memory of 3580 4640 ddvvj.exe 97 PID 4640 wrote to memory of 3580 4640 ddvvj.exe 97 PID 3580 wrote to memory of 4556 3580 dddpp.exe 99 PID 3580 wrote to memory of 4556 3580 dddpp.exe 99 PID 3580 wrote to memory of 4556 3580 dddpp.exe 99 PID 4556 wrote to memory of 1184 4556 nntnhh.exe 100 PID 4556 wrote to memory of 1184 4556 nntnhh.exe 100 PID 4556 wrote to memory of 1184 4556 nntnhh.exe 100 PID 1184 wrote to memory of 4428 1184 xlrlfxr.exe 101 PID 1184 wrote to memory of 4428 1184 xlrlfxr.exe 101 PID 1184 wrote to memory of 4428 1184 xlrlfxr.exe 101 PID 4428 wrote to memory of 1844 4428 vjdvp.exe 102 PID 4428 wrote to memory of 1844 4428 vjdvp.exe 102 PID 4428 wrote to memory of 1844 4428 vjdvp.exe 102 PID 1844 wrote to memory of 1268 1844 1frrxlf.exe 103 PID 1844 wrote to memory of 1268 1844 1frrxlf.exe 103 PID 1844 wrote to memory of 1268 1844 1frrxlf.exe 103 PID 1268 wrote to memory of 5100 1268 xfxrxrx.exe 104 PID 1268 wrote to memory of 5100 1268 xfxrxrx.exe 104 PID 1268 wrote to memory of 5100 1268 xfxrxrx.exe 104 PID 5100 wrote to memory of 1564 5100 dvvpv.exe 106 PID 5100 wrote to memory of 1564 5100 dvvpv.exe 106 PID 5100 wrote to memory of 1564 5100 dvvpv.exe 106 PID 1564 wrote to memory of 1736 1564 bbnnnn.exe 107 PID 1564 wrote to memory of 1736 1564 bbnnnn.exe 107 PID 1564 wrote to memory of 1736 1564 bbnnnn.exe 107 PID 1736 wrote to memory of 3608 1736 vjvvp.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ced448f808e040825b1bfb936f0f7fa0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\lxfxlfl.exec:\lxfxlfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\btbbbb.exec:\btbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\5djvd.exec:\5djvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\bnttnt.exec:\bnttnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\5fflfxf.exec:\5fflfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\thnttn.exec:\thnttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\vppjd.exec:\vppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\bbhtnh.exec:\bbhtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\pjjjd.exec:\pjjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\rlrlffx.exec:\rlrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\3tbttt.exec:\3tbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\ddvvj.exec:\ddvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\dddpp.exec:\dddpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\nntnhh.exec:\nntnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\vjdvp.exec:\vjdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\1frrxlf.exec:\1frrxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\xfxrxrx.exec:\xfxrxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\dvvpv.exec:\dvvpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\bbnnnn.exec:\bbnnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\vjvvp.exec:\vjvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\7xrlfff.exec:\7xrlfff.exe23⤵
- Executes dropped EXE
PID:3608 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe24⤵
- Executes dropped EXE
PID:2652 -
\??\c:\1htttb.exec:\1htttb.exe25⤵
- Executes dropped EXE
PID:4660 -
\??\c:\htbbbb.exec:\htbbbb.exe26⤵
- Executes dropped EXE
PID:1536 -
\??\c:\tntnnn.exec:\tntnnn.exe27⤵
- Executes dropped EXE
PID:4920 -
\??\c:\tnbbhh.exec:\tnbbhh.exe28⤵
- Executes dropped EXE
PID:4852 -
\??\c:\5rxxxll.exec:\5rxxxll.exe29⤵
- Executes dropped EXE
PID:1436 -
\??\c:\7djdd.exec:\7djdd.exe30⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3nnbtt.exec:\3nnbtt.exe31⤵
- Executes dropped EXE
PID:2212 -
\??\c:\fxfrlxr.exec:\fxfrlxr.exe32⤵
- Executes dropped EXE
PID:852 -
\??\c:\vpppd.exec:\vpppd.exe33⤵
- Executes dropped EXE
PID:4584 -
\??\c:\nhhbtn.exec:\nhhbtn.exe34⤵
- Executes dropped EXE
PID:4360 -
\??\c:\frfxllf.exec:\frfxllf.exe35⤵
- Executes dropped EXE
PID:4536 -
\??\c:\3hnhnn.exec:\3hnhnn.exe36⤵
- Executes dropped EXE
PID:3516 -
\??\c:\llffxxr.exec:\llffxxr.exe37⤵
- Executes dropped EXE
PID:4552 -
\??\c:\5nnhhh.exec:\5nnhhh.exe38⤵
- Executes dropped EXE
PID:4012 -
\??\c:\vjjdd.exec:\vjjdd.exe39⤵
- Executes dropped EXE
PID:628 -
\??\c:\3rfrllx.exec:\3rfrllx.exe40⤵
- Executes dropped EXE
PID:4516 -
\??\c:\1nnhbb.exec:\1nnhbb.exe41⤵
- Executes dropped EXE
PID:3240 -
\??\c:\jvvjd.exec:\jvvjd.exe42⤵
- Executes dropped EXE
PID:4976 -
\??\c:\lxfrllf.exec:\lxfrllf.exe43⤵
- Executes dropped EXE
PID:892 -
\??\c:\9nnntt.exec:\9nnntt.exe44⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bbnnnn.exec:\bbnnnn.exe45⤵
- Executes dropped EXE
PID:1476 -
\??\c:\ppddv.exec:\ppddv.exe46⤵
- Executes dropped EXE
PID:1968 -
\??\c:\fxrlflf.exec:\fxrlflf.exe47⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hbbhbb.exec:\hbbhbb.exe48⤵
- Executes dropped EXE
PID:1248 -
\??\c:\3dvvd.exec:\3dvvd.exe49⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xfxrfxf.exec:\xfxrfxf.exe50⤵
- Executes dropped EXE
PID:4664 -
\??\c:\ntbhhb.exec:\ntbhhb.exe51⤵
- Executes dropped EXE
PID:1424 -
\??\c:\dpvjv.exec:\dpvjv.exe52⤵
- Executes dropped EXE
PID:3836 -
\??\c:\rlrflfl.exec:\rlrflfl.exe53⤵
- Executes dropped EXE
PID:876 -
\??\c:\btnnbb.exec:\btnnbb.exe54⤵
- Executes dropped EXE
PID:4064 -
\??\c:\dvdvv.exec:\dvdvv.exe55⤵
- Executes dropped EXE
PID:1680 -
\??\c:\xrrlxxf.exec:\xrrlxxf.exe56⤵
- Executes dropped EXE
PID:3724 -
\??\c:\tnhhbb.exec:\tnhhbb.exe57⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
PID:1016 -
\??\c:\pdjvj.exec:\pdjvj.exe59⤵
- Executes dropped EXE
PID:1976 -
\??\c:\7rlffff.exec:\7rlffff.exe60⤵
- Executes dropped EXE
PID:4696 -
\??\c:\thnnhh.exec:\thnnhh.exe61⤵
- Executes dropped EXE
PID:4272 -
\??\c:\jpvjj.exec:\jpvjj.exe62⤵
- Executes dropped EXE
PID:936 -
\??\c:\lflfxxx.exec:\lflfxxx.exe63⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ntbbtn.exec:\ntbbtn.exe64⤵
- Executes dropped EXE
PID:4112 -
\??\c:\9jdvv.exec:\9jdvv.exe65⤵
- Executes dropped EXE
PID:4068 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe66⤵PID:4672
-
\??\c:\bnthtt.exec:\bnthtt.exe67⤵PID:2468
-
\??\c:\9dvvp.exec:\9dvvp.exe68⤵PID:2652
-
\??\c:\pjjjd.exec:\pjjjd.exe69⤵PID:2236
-
\??\c:\fxrlllf.exec:\fxrlllf.exe70⤵PID:5068
-
\??\c:\nhttnt.exec:\nhttnt.exe71⤵PID:1536
-
\??\c:\jdvpp.exec:\jdvpp.exe72⤵PID:4268
-
\??\c:\lllffff.exec:\lllffff.exe73⤵PID:4396
-
\??\c:\5llfffx.exec:\5llfffx.exe74⤵PID:2844
-
\??\c:\bthbtn.exec:\bthbtn.exe75⤵PID:1456
-
\??\c:\3ppjd.exec:\3ppjd.exe76⤵PID:2264
-
\??\c:\3vdvv.exec:\3vdvv.exe77⤵PID:3112
-
\??\c:\rffxxrr.exec:\rffxxrr.exe78⤵PID:2212
-
\??\c:\nhthnh.exec:\nhthnh.exe79⤵PID:3568
-
\??\c:\bntnhh.exec:\bntnhh.exe80⤵PID:4584
-
\??\c:\3djjd.exec:\3djjd.exe81⤵PID:3592
-
\??\c:\rrllflf.exec:\rrllflf.exe82⤵PID:4140
-
\??\c:\hbbbtt.exec:\hbbbtt.exe83⤵PID:1084
-
\??\c:\btbhbt.exec:\btbhbt.exe84⤵PID:2516
-
\??\c:\dvvpj.exec:\dvvpj.exe85⤵PID:4516
-
\??\c:\3lrlflf.exec:\3lrlflf.exe86⤵PID:2980
-
\??\c:\ntnbtt.exec:\ntnbtt.exe87⤵PID:4864
-
\??\c:\bbnhhh.exec:\bbnhhh.exe88⤵PID:2028
-
\??\c:\pvjjd.exec:\pvjjd.exe89⤵PID:5044
-
\??\c:\3fffrrl.exec:\3fffrrl.exe90⤵PID:3308
-
\??\c:\xxflffx.exec:\xxflffx.exe91⤵PID:3036
-
\??\c:\5tbtnt.exec:\5tbtnt.exe92⤵PID:4664
-
\??\c:\ppjdv.exec:\ppjdv.exe93⤵PID:4640
-
\??\c:\xrfffff.exec:\xrfffff.exe94⤵PID:4728
-
\??\c:\nhhhbh.exec:\nhhhbh.exe95⤵PID:3884
-
\??\c:\hbtnhh.exec:\hbtnhh.exe96⤵PID:4504
-
\??\c:\pvddv.exec:\pvddv.exe97⤵PID:4064
-
\??\c:\rrllfll.exec:\rrllfll.exe98⤵PID:4712
-
\??\c:\rxffrrf.exec:\rxffrrf.exe99⤵PID:3356
-
\??\c:\pvpjd.exec:\pvpjd.exe100⤵PID:3128
-
\??\c:\ddvpd.exec:\ddvpd.exe101⤵PID:3244
-
\??\c:\xrllrrx.exec:\xrllrrx.exe102⤵PID:1268
-
\??\c:\hnhnhh.exec:\hnhnhh.exe103⤵PID:5100
-
\??\c:\3dpdv.exec:\3dpdv.exe104⤵PID:908
-
\??\c:\xfxffll.exec:\xfxffll.exe105⤵PID:1564
-
\??\c:\3bhbtt.exec:\3bhbtt.exe106⤵PID:2724
-
\??\c:\5hbbhh.exec:\5hbbhh.exe107⤵PID:2888
-
\??\c:\jvjdv.exec:\jvjdv.exe108⤵PID:4564
-
\??\c:\1rlfxrl.exec:\1rlfxrl.exe109⤵PID:2156
-
\??\c:\hhnnhh.exec:\hhnnhh.exe110⤵PID:1796
-
\??\c:\ddjjj.exec:\ddjjj.exe111⤵PID:2576
-
\??\c:\jdvpj.exec:\jdvpj.exe112⤵PID:2484
-
\??\c:\llxrllf.exec:\llxrllf.exe113⤵PID:3228
-
\??\c:\1bnhbb.exec:\1bnhbb.exe114⤵PID:1604
-
\??\c:\dpvpd.exec:\dpvpd.exe115⤵PID:4588
-
\??\c:\lfxrlrr.exec:\lfxrlrr.exe116⤵PID:2272
-
\??\c:\lrrlfxx.exec:\lrrlfxx.exe117⤵PID:1252
-
\??\c:\nthbbt.exec:\nthbbt.exe118⤵PID:1456
-
\??\c:\vpppd.exec:\vpppd.exe119⤵PID:2264
-
\??\c:\pvpjv.exec:\pvpjv.exe120⤵PID:924
-
\??\c:\9xfxxxx.exec:\9xfxxxx.exe121⤵PID:4668
-
\??\c:\htnhhn.exec:\htnhhn.exe122⤵PID:4908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-