Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 14:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe
Resource
win7-20240215-en
5 signatures
150 seconds
General
-
Target
d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe
-
Size
393KB
-
MD5
d3c248fa0666c1b973aeac6ab094fee0
-
SHA1
7332ef6c716cdb2854020e224916394a830a205c
-
SHA256
1291724924e51ddf06a9bbe5b91fcc234658a0477f5bcef9111ebb56e68b284c
-
SHA512
8ca1aa2250078b4fcd28df860ee893b372c408017d5eae422f14997f800d839ee708c3d0209c1db8ea5a8c1a36b63613058ca93aa7504901cd3835ea453efee3
-
SSDEEP
6144:Acm7ImGddX5WrXF5lpKGYV0aTk/BO0XJm4UEPOshN/xdKnvP48bmRs:m7TcJWjdpKGATTk/jYIOWN/KnnPP
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/404-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1444 nttttn.exe 4428 lxrlxfr.exe 3608 tbtnbb.exe 720 pjvpd.exe 996 lxrrlll.exe 1984 1rxxxrr.exe 3656 1xffrrf.exe 5072 tbhhtt.exe 2488 ppvvd.exe 4548 1xxrllf.exe 4236 htttnn.exe 1112 xfllflr.exe 2880 nhnhhh.exe 2876 djddd.exe 4888 bhtnhh.exe 2780 lffflff.exe 1492 7rxxrrr.exe 4580 tbbbnn.exe 844 vpjjd.exe 1860 fxrrxff.exe 4992 ttttnn.exe 4256 3rxrrrr.exe 4100 5hnnht.exe 2220 pdjdv.exe 2344 rrllfff.exe 5020 thttnh.exe 4572 7vpjj.exe 4716 fllxlfl.exe 2824 9nhhtt.exe 3304 ddjjj.exe 3008 ffllffl.exe 2548 hbnhnn.exe 4612 ppvpp.exe 3236 lfllfxr.exe 4452 hbbhhn.exe 3396 1nhhhh.exe 3360 3djjd.exe 4440 ffrrllf.exe 4180 hhhtnn.exe 4248 pdjjp.exe 4332 rfllfxr.exe 3244 xxfxllx.exe 1824 tbhhhh.exe 2272 vjddd.exe 4712 rllfxrl.exe 4844 xllfffx.exe 5104 nntnnh.exe 2660 jjdvd.exe 4820 rlxxrrr.exe 4848 7xxrrrl.exe 4568 hbbhhb.exe 2008 djpdd.exe 1008 jvvvd.exe 5032 llrrxrx.exe 2400 htntbh.exe 4480 1ppjv.exe 4804 xfllffr.exe 5044 nnbbhh.exe 4380 bhbtth.exe 1892 7djvj.exe 4396 9flxrlx.exe 5116 tbnnnh.exe 2148 1jjjj.exe 4600 9pvvv.exe -
resource yara_rule behavioral2/memory/404-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-442-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 404 wrote to memory of 1444 404 d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe 82 PID 404 wrote to memory of 1444 404 d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe 82 PID 404 wrote to memory of 1444 404 d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe 82 PID 1444 wrote to memory of 4428 1444 nttttn.exe 83 PID 1444 wrote to memory of 4428 1444 nttttn.exe 83 PID 1444 wrote to memory of 4428 1444 nttttn.exe 83 PID 4428 wrote to memory of 3608 4428 lxrlxfr.exe 84 PID 4428 wrote to memory of 3608 4428 lxrlxfr.exe 84 PID 4428 wrote to memory of 3608 4428 lxrlxfr.exe 84 PID 3608 wrote to memory of 720 3608 tbtnbb.exe 85 PID 3608 wrote to memory of 720 3608 tbtnbb.exe 85 PID 3608 wrote to memory of 720 3608 tbtnbb.exe 85 PID 720 wrote to memory of 996 720 pjvpd.exe 86 PID 720 wrote to memory of 996 720 pjvpd.exe 86 PID 720 wrote to memory of 996 720 pjvpd.exe 86 PID 996 wrote to memory of 1984 996 lxrrlll.exe 87 PID 996 wrote to memory of 1984 996 lxrrlll.exe 87 PID 996 wrote to memory of 1984 996 lxrrlll.exe 87 PID 1984 wrote to memory of 3656 1984 1rxxxrr.exe 88 PID 1984 wrote to memory of 3656 1984 1rxxxrr.exe 88 PID 1984 wrote to memory of 3656 1984 1rxxxrr.exe 88 PID 3656 wrote to memory of 5072 3656 1xffrrf.exe 89 PID 3656 wrote to memory of 5072 3656 1xffrrf.exe 89 PID 3656 wrote to memory of 5072 3656 1xffrrf.exe 89 PID 5072 wrote to memory of 2488 5072 tbhhtt.exe 90 PID 5072 wrote to memory of 2488 5072 tbhhtt.exe 90 PID 5072 wrote to memory of 2488 5072 tbhhtt.exe 90 PID 2488 wrote to memory of 4548 2488 ppvvd.exe 91 PID 2488 wrote to memory of 4548 2488 ppvvd.exe 91 PID 2488 wrote to memory of 4548 2488 ppvvd.exe 91 PID 4548 wrote to memory of 4236 4548 1xxrllf.exe 92 PID 4548 wrote to memory of 4236 4548 1xxrllf.exe 92 PID 4548 wrote to memory of 4236 4548 1xxrllf.exe 92 PID 4236 wrote to memory of 1112 4236 htttnn.exe 93 PID 4236 wrote to memory of 1112 4236 htttnn.exe 93 PID 4236 wrote to memory of 1112 4236 htttnn.exe 93 PID 1112 wrote to memory of 2880 1112 xfllflr.exe 94 PID 1112 wrote to memory of 2880 1112 xfllflr.exe 94 PID 1112 wrote to memory of 2880 1112 xfllflr.exe 94 PID 2880 wrote to memory of 2876 2880 nhnhhh.exe 96 PID 2880 wrote to memory of 2876 2880 nhnhhh.exe 96 PID 2880 wrote to memory of 2876 2880 nhnhhh.exe 96 PID 2876 wrote to memory of 4888 2876 djddd.exe 97 PID 2876 wrote to memory of 4888 2876 djddd.exe 97 PID 2876 wrote to memory of 4888 2876 djddd.exe 97 PID 4888 wrote to memory of 2780 4888 bhtnhh.exe 99 PID 4888 wrote to memory of 2780 4888 bhtnhh.exe 99 PID 4888 wrote to memory of 2780 4888 bhtnhh.exe 99 PID 2780 wrote to memory of 1492 2780 lffflff.exe 100 PID 2780 wrote to memory of 1492 2780 lffflff.exe 100 PID 2780 wrote to memory of 1492 2780 lffflff.exe 100 PID 1492 wrote to memory of 4580 1492 7rxxrrr.exe 101 PID 1492 wrote to memory of 4580 1492 7rxxrrr.exe 101 PID 1492 wrote to memory of 4580 1492 7rxxrrr.exe 101 PID 4580 wrote to memory of 844 4580 tbbbnn.exe 102 PID 4580 wrote to memory of 844 4580 tbbbnn.exe 102 PID 4580 wrote to memory of 844 4580 tbbbnn.exe 102 PID 844 wrote to memory of 1860 844 vpjjd.exe 103 PID 844 wrote to memory of 1860 844 vpjjd.exe 103 PID 844 wrote to memory of 1860 844 vpjjd.exe 103 PID 1860 wrote to memory of 4992 1860 fxrrxff.exe 104 PID 1860 wrote to memory of 4992 1860 fxrrxff.exe 104 PID 1860 wrote to memory of 4992 1860 fxrrxff.exe 104 PID 4992 wrote to memory of 4256 4992 ttttnn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d3c248fa0666c1b973aeac6ab094fee0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\nttttn.exec:\nttttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\lxrlxfr.exec:\lxrlxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\tbtnbb.exec:\tbtnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\pjvpd.exec:\pjvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\lxrrlll.exec:\lxrrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\1rxxxrr.exec:\1rxxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\1xffrrf.exec:\1xffrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\tbhhtt.exec:\tbhhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\ppvvd.exec:\ppvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\1xxrllf.exec:\1xxrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\htttnn.exec:\htttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\xfllflr.exec:\xfllflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\nhnhhh.exec:\nhnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\djddd.exec:\djddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\bhtnhh.exec:\bhtnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\lffflff.exec:\lffflff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\7rxxrrr.exec:\7rxxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\tbbbnn.exec:\tbbbnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\vpjjd.exec:\vpjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\fxrrxff.exec:\fxrrxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\ttttnn.exec:\ttttnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3rxrrrr.exec:\3rxrrrr.exe23⤵
- Executes dropped EXE
PID:4256 -
\??\c:\5hnnht.exec:\5hnnht.exe24⤵
- Executes dropped EXE
PID:4100 -
\??\c:\pdjdv.exec:\pdjdv.exe25⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rrllfff.exec:\rrllfff.exe26⤵
- Executes dropped EXE
PID:2344 -
\??\c:\thttnh.exec:\thttnh.exe27⤵
- Executes dropped EXE
PID:5020 -
\??\c:\7vpjj.exec:\7vpjj.exe28⤵
- Executes dropped EXE
PID:4572 -
\??\c:\fllxlfl.exec:\fllxlfl.exe29⤵
- Executes dropped EXE
PID:4716 -
\??\c:\9nhhtt.exec:\9nhhtt.exe30⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ddjjj.exec:\ddjjj.exe31⤵
- Executes dropped EXE
PID:3304 -
\??\c:\ffllffl.exec:\ffllffl.exe32⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hbnhnn.exec:\hbnhnn.exe33⤵
- Executes dropped EXE
PID:2548 -
\??\c:\ppvpp.exec:\ppvpp.exe34⤵
- Executes dropped EXE
PID:4612 -
\??\c:\lfllfxr.exec:\lfllfxr.exe35⤵
- Executes dropped EXE
PID:3236 -
\??\c:\hbbhhn.exec:\hbbhhn.exe36⤵
- Executes dropped EXE
PID:4452 -
\??\c:\1nhhhh.exec:\1nhhhh.exe37⤵
- Executes dropped EXE
PID:3396 -
\??\c:\3djjd.exec:\3djjd.exe38⤵
- Executes dropped EXE
PID:3360 -
\??\c:\ffrrllf.exec:\ffrrllf.exe39⤵
- Executes dropped EXE
PID:4440 -
\??\c:\hhhtnn.exec:\hhhtnn.exe40⤵
- Executes dropped EXE
PID:4180 -
\??\c:\pdjjp.exec:\pdjjp.exe41⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rfllfxr.exec:\rfllfxr.exe42⤵
- Executes dropped EXE
PID:4332 -
\??\c:\xxfxllx.exec:\xxfxllx.exe43⤵
- Executes dropped EXE
PID:3244 -
\??\c:\tbhhhh.exec:\tbhhhh.exe44⤵
- Executes dropped EXE
PID:1824 -
\??\c:\vjddd.exec:\vjddd.exe45⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rllfxrl.exec:\rllfxrl.exe46⤵
- Executes dropped EXE
PID:4712 -
\??\c:\xllfffx.exec:\xllfffx.exe47⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nntnnh.exec:\nntnnh.exe48⤵
- Executes dropped EXE
PID:5104 -
\??\c:\jjdvd.exec:\jjdvd.exe49⤵
- Executes dropped EXE
PID:2660 -
\??\c:\rlxxrrr.exec:\rlxxrrr.exe50⤵
- Executes dropped EXE
PID:4820 -
\??\c:\7xxrrrl.exec:\7xxrrrl.exe51⤵
- Executes dropped EXE
PID:4848 -
\??\c:\hbbhhb.exec:\hbbhhb.exe52⤵
- Executes dropped EXE
PID:4568 -
\??\c:\djpdd.exec:\djpdd.exe53⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jvvvd.exec:\jvvvd.exe54⤵
- Executes dropped EXE
PID:1008 -
\??\c:\llrrxrx.exec:\llrrxrx.exe55⤵
- Executes dropped EXE
PID:5032 -
\??\c:\htntbh.exec:\htntbh.exe56⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1ppjv.exec:\1ppjv.exe57⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xfllffr.exec:\xfllffr.exe58⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nnbbhh.exec:\nnbbhh.exe59⤵
- Executes dropped EXE
PID:5044 -
\??\c:\bhbtth.exec:\bhbtth.exe60⤵
- Executes dropped EXE
PID:4380 -
\??\c:\7djvj.exec:\7djvj.exe61⤵
- Executes dropped EXE
PID:1892 -
\??\c:\9flxrlx.exec:\9flxrlx.exe62⤵
- Executes dropped EXE
PID:4396 -
\??\c:\tbnnnh.exec:\tbnnnh.exe63⤵
- Executes dropped EXE
PID:5116 -
\??\c:\1jjjj.exec:\1jjjj.exe64⤵
- Executes dropped EXE
PID:2148 -
\??\c:\9pvvv.exec:\9pvvv.exe65⤵
- Executes dropped EXE
PID:4600 -
\??\c:\3llfrrx.exec:\3llfrrx.exe66⤵PID:1712
-
\??\c:\nnttnt.exec:\nnttnt.exe67⤵PID:3816
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:1912
-
\??\c:\xrllrrl.exec:\xrllrrl.exe69⤵PID:1440
-
\??\c:\xxfxxlf.exec:\xxfxxlf.exe70⤵PID:4992
-
\??\c:\pdjdv.exec:\pdjdv.exe71⤵PID:3540
-
\??\c:\llrrxxr.exec:\llrrxxr.exe72⤵PID:4100
-
\??\c:\nnbbtt.exec:\nnbbtt.exe73⤵PID:2540
-
\??\c:\vddpj.exec:\vddpj.exe74⤵PID:2344
-
\??\c:\fxxrlrf.exec:\fxxrlrf.exe75⤵PID:5064
-
\??\c:\frxrrrr.exec:\frxrrrr.exe76⤵PID:2312
-
\??\c:\bbhbbb.exec:\bbhbbb.exe77⤵PID:4164
-
\??\c:\3dppj.exec:\3dppj.exe78⤵PID:4716
-
\??\c:\3jvpv.exec:\3jvpv.exe79⤵PID:2776
-
\??\c:\xllxrlx.exec:\xllxrlx.exe80⤵PID:2516
-
\??\c:\hbhtnn.exec:\hbhtnn.exe81⤵PID:2548
-
\??\c:\5jpjj.exec:\5jpjj.exe82⤵PID:2692
-
\??\c:\ffffffl.exec:\ffffffl.exe83⤵PID:4996
-
\??\c:\xxrlfff.exec:\xxrlfff.exe84⤵PID:5016
-
\??\c:\jpppp.exec:\jpppp.exe85⤵PID:4360
-
\??\c:\xrrlffx.exec:\xrrlffx.exe86⤵PID:2640
-
\??\c:\3xxxrxx.exec:\3xxxrxx.exe87⤵PID:4312
-
\??\c:\hbhbht.exec:\hbhbht.exe88⤵PID:3060
-
\??\c:\nnnhhn.exec:\nnnhhn.exe89⤵PID:4592
-
\??\c:\dpjvp.exec:\dpjvp.exe90⤵PID:2012
-
\??\c:\3lllflr.exec:\3lllflr.exe91⤵PID:4948
-
\??\c:\nbbttt.exec:\nbbttt.exe92⤵PID:3724
-
\??\c:\hbhnnn.exec:\hbhnnn.exe93⤵PID:3920
-
\??\c:\rrfllrr.exec:\rrfllrr.exe94⤵PID:1104
-
\??\c:\llxrrrr.exec:\llxrrrr.exe95⤵PID:4712
-
\??\c:\5ntnhh.exec:\5ntnhh.exe96⤵PID:1928
-
\??\c:\nhttnn.exec:\nhttnn.exe97⤵PID:4496
-
\??\c:\dpddp.exec:\dpddp.exe98⤵PID:2660
-
\??\c:\9rrlfff.exec:\9rrlfff.exe99⤵PID:4840
-
\??\c:\hhtnhn.exec:\hhtnhn.exe100⤵PID:4548
-
\??\c:\7bhhbb.exec:\7bhhbb.exe101⤵PID:2644
-
\??\c:\dpjjp.exec:\dpjjp.exe102⤵PID:2008
-
\??\c:\5llfxxr.exec:\5llfxxr.exe103⤵PID:1008
-
\??\c:\nhbtnn.exec:\nhbtnn.exe104⤵PID:5032
-
\??\c:\3bbnbt.exec:\3bbnbt.exe105⤵PID:2400
-
\??\c:\dpvpj.exec:\dpvpj.exe106⤵PID:3124
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe107⤵PID:3280
-
\??\c:\3tnhhb.exec:\3tnhhb.exe108⤵PID:2284
-
\??\c:\pddvj.exec:\pddvj.exe109⤵PID:2616
-
\??\c:\rfrffrx.exec:\rfrffrx.exe110⤵PID:824
-
\??\c:\rrlfxlf.exec:\rrlfxlf.exe111⤵PID:4632
-
\??\c:\bntbnh.exec:\bntbnh.exe112⤵PID:4580
-
\??\c:\jddpj.exec:\jddpj.exe113⤵PID:3036
-
\??\c:\vdpvd.exec:\vdpvd.exe114⤵PID:2740
-
\??\c:\rllxrlf.exec:\rllxrlf.exe115⤵PID:3440
-
\??\c:\ttthbb.exec:\ttthbb.exe116⤵PID:2456
-
\??\c:\ppddv.exec:\ppddv.exe117⤵PID:1228
-
\??\c:\lfrxllf.exec:\lfrxllf.exe118⤵PID:3496
-
\??\c:\tnnhhh.exec:\tnnhhh.exe119⤵PID:4196
-
\??\c:\hhbhtb.exec:\hhbhtb.exe120⤵PID:4628
-
\??\c:\1vjpj.exec:\1vjpj.exe121⤵PID:3484
-
\??\c:\frlfxxx.exec:\frlfxxx.exe122⤵PID:1820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-